bind9 failed to upgrade - /var/run/bind/run permission denied

Bug #516726 reported by Matej
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: bind9

sb_release -rd
Description: Ubuntu 9.10
Release: 9.10

apt-cache policy bind9
bind9:
  Installed: 1:9.6.1.dfsg.P1-3ubuntu0.3
  Candidate: 1:9.6.1.dfsg.P1-3ubuntu0.3
  Version table:
 *** 1:9.6.1.dfsg.P1-3ubuntu0.3 0
        500 http://security.ubuntu.com karmic-security/main Packages
        500 http://archive.ubuntu.com karmic-updates/main Packages
        100 /var/lib/dpkg/status
     1:9.6.1.dfsg.P1-3 0
        500 http://archive.ubuntu.com karmic/main Packages

Bind failed to start. There were no problems with previous version of Ubuntu.

Lines in /var/log/syslog:
Feb 3 21:22:36 x named[3059]: command channel listening on ::1#953
Feb 3 21:22:36 x named[3059]: couldn't mkdir '/var/run/bind/run': Permission denied
Feb 3 21:22:36 x named[3059]: exiting (due to early fatal error)
Feb 3 21:22:36 x kernel: [ 939.289310] type=1503 audit(1265228556.532:33): operation="mkdir" pid=3060 parent=3058 profile="/usr/sbin/named" requested_mask="w::" denied_mask="w::" fsuid=114 ouid=114 name="/var/run/bind/run/"

ProblemType: Package
AptOrdering:
 dialog: Install
 bind9: Configure
 dialog: Configure
Architecture: i386
Date: Tue Feb 2 22:52:00 2010
DistroRelease: Ubuntu 9.10
ErrorMessage: subprocess installed post-installation script returned error exit status 1
Package: bind9 1:9.6.1.dfsg.P1-3ubuntu0.3
ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
SourcePackage: bind9
Title: package bind9 1:9.6.1.dfsg.P1-3ubuntu0.3 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Uname: Linux 2.6.31-17-generic i686

Revision history for this message
Matej (mato-dio) wrote :
Revision history for this message
Chuck Short (zulcss) wrote :

Can you please attach your /etc/named.conf?

Thanks
chuck

Changed in bind9 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Matej (mato-dio) wrote :

/etc/named.conf is in attachment, here is /etc/bind/named.conf.options, which is included:

options {
        directory "/var/cache/bind";
        pid-file "/var/run/bind/run/named.pid";

        auth-nxdomain no; # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;
};

named.conf.local is empty

Revision history for this message
Reinhold Kainhofer (reinhold) wrote :

This seems to be a problem with AppArmor, which adds rules only fo /var/run/named/..., but not for /var/run/bind/... Unfortunately, if you are using e.g. ISPConfig on ubuntu, it will modify the pidfile in named.conf to /var/run/bind/run/named.pid, which apparmor does not allow, and voila, your name server is down!

Cheers,
Reinhold

Revision history for this message
Mathias Gug (mathiaz) wrote :

@Matej: what changed the default location of the pid-file? ISPconfig?

If so it's an issue with the program that changed the default pid-file location. This bug should be marked as invalid for bind9 then.

Revision history for this message
Matej (mato-dio) wrote :

@reinhold & @Mathias:

Thank You for explanation, I tried to add write permission to /var/run/bind/ and it did not work - now I know why.
I commented out the pid-file line, so the /var/run/named dir was used (I had to add write permission) and it started working :)
I am pretty sure that I did not touch the pid-file location, I suppose it was changed by upgrade to Karmic (by mentioned ISPConfig? I really do not remember when exactly it happened, but it was some time after upgrade, when I needed to try out something with bind), that's why I was confused.

Thanks again and sorry for wasting Your time

Chuck Short (zulcss)
Changed in bind9 (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.