bind9 failed to upgrade - /var/run/bind/run permission denied

Bug #516726 reported by Matej on 2010-02-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)

Bug Description

Binary package hint: bind9

sb_release -rd
Description: Ubuntu 9.10
Release: 9.10

apt-cache policy bind9
  Installed: 1:9.6.1.dfsg.P1-3ubuntu0.3
  Candidate: 1:9.6.1.dfsg.P1-3ubuntu0.3
  Version table:
 *** 1:9.6.1.dfsg.P1-3ubuntu0.3 0
        500 karmic-security/main Packages
        500 karmic-updates/main Packages
        100 /var/lib/dpkg/status
     1:9.6.1.dfsg.P1-3 0
        500 karmic/main Packages

Bind failed to start. There were no problems with previous version of Ubuntu.

Lines in /var/log/syslog:
Feb 3 21:22:36 x named[3059]: command channel listening on ::1#953
Feb 3 21:22:36 x named[3059]: couldn't mkdir '/var/run/bind/run': Permission denied
Feb 3 21:22:36 x named[3059]: exiting (due to early fatal error)
Feb 3 21:22:36 x kernel: [ 939.289310] type=1503 audit(1265228556.532:33): operation="mkdir" pid=3060 parent=3058 profile="/usr/sbin/named" requested_mask="w::" denied_mask="w::" fsuid=114 ouid=114 name="/var/run/bind/run/"

ProblemType: Package
 dialog: Install
 bind9: Configure
 dialog: Configure
Architecture: i386
Date: Tue Feb 2 22:52:00 2010
DistroRelease: Ubuntu 9.10
ErrorMessage: subprocess installed post-installation script returned error exit status 1
Package: bind9 1:9.6.1.dfsg.P1-3ubuntu0.3
ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
SourcePackage: bind9
Title: package bind9 1:9.6.1.dfsg.P1-3ubuntu0.3 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Uname: Linux 2.6.31-17-generic i686

Matej (mato-dio) wrote :
Chuck Short (zulcss) wrote :

Can you please attach your /etc/named.conf?


Changed in bind9 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Matej (mato-dio) wrote :

/etc/named.conf is in attachment, here is /etc/bind/named.conf.options, which is included:

options {
        directory "/var/cache/bind";
        pid-file "/var/run/bind/run/";

        auth-nxdomain no; # conform to RFC1035
        listen-on-v6 { any; };
        dnssec-enable yes;
        dnssec-validation yes;

named.conf.local is empty

Reinhold Kainhofer (reinhold) wrote :

This seems to be a problem with AppArmor, which adds rules only fo /var/run/named/..., but not for /var/run/bind/... Unfortunately, if you are using e.g. ISPConfig on ubuntu, it will modify the pidfile in named.conf to /var/run/bind/run/, which apparmor does not allow, and voila, your name server is down!


Mathias Gug (mathiaz) wrote :

@Matej: what changed the default location of the pid-file? ISPconfig?

If so it's an issue with the program that changed the default pid-file location. This bug should be marked as invalid for bind9 then.

Matej (mato-dio) wrote :

@reinhold & @Mathias:

Thank You for explanation, I tried to add write permission to /var/run/bind/ and it did not work - now I know why.
I commented out the pid-file line, so the /var/run/named dir was used (I had to add write permission) and it started working :)
I am pretty sure that I did not touch the pid-file location, I suppose it was changed by upgrade to Karmic (by mentioned ISPConfig? I really do not remember when exactly it happened, but it was some time after upgrade, when I needed to try out something with bind), that's why I was confused.

Thanks again and sorry for wasting Your time

Chuck Short (zulcss) on 2010-09-13
Changed in bind9 (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers