named the working directory is not writable

3

I am trying to setup Bind9 on Debian Jessie as described by Debian's Wiki. When I finish, and attempt to start BIND (service bind9 start), I get the dreaded FAIL message. Below is the tail of my /var/log/syslog:

...
Jul  5 20:23:16 debian named[8309]: command channel listening on 127.0.0.1#953
Jul  5 20:23:16 debian named[8309]: the working directory is not writable
Jul  5 20:23:16 debian named[8309]: isc_stdio_open '/var/log/update_debug.log' failed: permission denied
Jul  5 20:23:16 debian named[8309]: configuring logging: permission denied
Jul  5 20:23:16 debian named[8309]: loading configuration: permission denied
Jul  5 20:23:16 debian named[8309]: exiting (due to fatal error)

I can't seem to get passed here. I created the chroot directory structure, double-checked the permissions and commands were run in order, but no change.

What can I do to continue? I do not have SELinux enabled on this system.

Canadian Luke

Posted 2016-07-06T03:29:58.907

Reputation: 22 162

Answers

3

The "working directory is not writable" message is a warning, not really related to the fatal errors that follow. You can silence that message by fixing the permissions on the base directory (which appears to be set to /var/bind9/chroot/var/cache/bind by the directions on that wiki page) but there's no real need to and it's safer to NOT fix it.

The fatal error is the inability to create the file that named thinks is /var/log/update_debug.log but is in fact /var/bind9/chroot/var/log/update_debug.log. I expect this will solve that problem:

mkdir /var/bind9/chroot/var/log
chown bind:bind /var/bind9/chroot/var/log

Bill Cole

Posted 2016-07-06T03:29:58.907

Reputation: 170

0

The error is quite clear; but where do you attempt to start the setup from ? Try from /tmp/ or /usr/ if you try from another location, just to be sure of non-local interference.

Did you chown the /var/named ? If you did and that didn't work, go to your chroot environment file (BIND.chroot.dist) and change 

/set type=dir uname=root gname=wheel mode=0644

to

/set type=dir uname=bind gname=wheel mode=0755

Overmind

Posted 2016-07-06T03:29:58.907

Reputation: 8 562

1>

  • /var/named/ and /etc/mtree/BIND.chroot.dist are FreeBSD-isms. The OP is using a Debian Wiki How-To that puts the chroot at /var/bind9/ and describes the entirely manual chroot setup one must do on Linux.
  • "working directory is not writable" is a warning, not a fatal error. The fatal error is in the logging setup.
  • The base directory is not writable by the 'bind' user for a sound security reason: a RCE bug in named would put the whole tree under it at risk.
    • < – Bill Cole – 2016-10-14T20:53:33.937

    0

    The correct directory on standard debian bind9 builds is: /var/cache/bind

    chown -R bind:root /var/cache/bind
rndc reload or service bind9 reload
tail -f /var/log/syslog

    No more errors.

    If running chrooted it will depend where you set your directories to, but the principle is the same.  

    Biztux

    Posted 2016-07-06T03:29:58.907

    Reputation: 1

    Asked: 2016-07-06T03:29:58.907

    Viewed: 7 094 times

    Active: 2018-02-03T18:02:19.963