[Pdns-users] pdns-recursor Permissions Error

Brian Candler b.candler at pobox.com
Fri Jan 10 10:45:18 UTC 2020


On 10/01/2020 09:56, Otto Moerbeek via Pdns-users wrote:
> It looks like the rec_control line your snmpd.conf is triggering the
> problem. Likely the snmd subsystem starts rec_control as a user that
> does not have permission to write into /var/run/pdns-recursor.
>
> You can try disabling (by commenting it out) the
>
> extend pdns-rec /usr/local/bin/pdns_stats
>
> line or, if you really need it, change the permissions of the
> /var/run/pdns-recursor dir to include rwx for others.
>
> Not that the latter might have security implications on your system. You
> must decide if that is OK for you,

As someone mentioned before: if this is an SELinux environment (e.g. 
CentOS/RedHat), snmpd may be prevented from accessing files in random 
directories, even if normal file/directory perms allow it.

Similar situation: I was using snmpd-mdraid-connector and 
snmpd-smartctl-connector, with these lines in snmpd.conf:

pass_persist .1.3.6.1.4.1.38696.2.1 /usr/sbin/snmpd-smartctl-connector
pass_persist .1.3.6.1.4.1.38696.2.2 /usr/sbin/snmpd-mdraid-connector

There is a separate cronjob which writes files that these connectors 
read.  To make these work, I had to ensure all the files were written 
under /var/cache/snmp, and set the selinux type to `snmpd_var_run_t`

In ansible-ese:

- name: create cache dir
   action: file path={{item}} state=directory setype=snmpd_var_run_t
   with_items:
     - /var/cache/snmp
     - /var/cache/snmp/mdadm
     - /var/cache/snmp/smartctl

You can test if this is the problem by putting selinux into permissive 
mode temporarily, before digging down further into exact what the 
required fix is.

Alternatively: move away from using SNMP for collecting host and service 
information.  Almost anything is better.  Prometheus + node_exporter is 
my favourite solution.

Regards,

Brian.



More information about the Pdns-users mailing list