[Pdns-users] pdns-recursor Permissions Error

Sharone missakiiki at gmail.com
Fri Jan 10 11:07:46 UTC 2020


Thank you, Otto. I have tried both options on a dummy server with exact
same setup.
I have attempted to comment out the line  *extend pdns-rec
/usr/local/bin/pdns_stats *in snmpd.conf file and still gotten the same
error, however changing permissions to the entire directory to rwx worked
but like you mentioned this indeed brings about a security issue.
This line is necessary in the snmpd.conf in order for us to poll statistics
onto Cacti from the recursive DNS servers.
This is working on other DNS servers with Ubuntu 16 except 2 servers and
this has been mindboggling.
I am running Apparmor (the default) and not SELinux on the servers.

Regards,
Sharone


On Fri, 10 Jan 2020 at 12:56, Otto Moerbeek via Pdns-users <
pdns-users at mailman.powerdns.com> wrote:

> It looks like the rec_control line your snmpd.conf is triggering the
> problem. Likely the snmd subsystem starts rec_control as a user that
> does not have permission to write into /var/run/pdns-recursor.
>
> You can try disabling (by commenting it out) the
>
> extend pdns-rec /usr/local/bin/pdns_stats
>
> line or, if you really need it, change the permissions of the
> /var/run/pdns-recursor dir to include rwx for others.
>
> Not that the latter might have security implications on your system. You
> must decide if that is OK for you,
>
>         -Otto
>
>
> On 2020-01-09 06:24, Sharone wrote:
> > Hello Steve,
> >
> > I appreciate your response. Below is what is inside
> > /etc/snmp/snmpd.conf file
> >
> > /rocommunity public
> > syslocation "Data Center"
> > syscontact admin at techs.co.ug <mailto:admin at techs.co.ug>
> > createUser admin SHA admin123! AES admin123!
> > rouser admin authPriv
> > extend pdns-rec /usr/local/bin/pdns_stats
> > agentAddress udp:161,udp6:[::1]:161/
> > /
> > /
> > //
> > /etc/default/snmpd
> > /
> > /
> > /# This file controls the activity of snmpd
> >
> > # Don't load any MIBs by default.
> > # You might comment this lines once you have the MIBs downloaded.
> > export MIBS=
> >
> > # snmpd control (yes means start daemon).
> > SNMPDRUN=yes
> >
> > # snmpd options (use syslog, close stdin/out/err).
> > SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I
> > -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'/
> > /
> > /
> > snmp service status/
> > /
> > /
> > /
> > /# systemctl status snmpd.service
> > ● snmpd.service - LSB: SNMP agents
> >    Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset: enabled)
> >    Active: active (running) since Thu 2020-01-09 08:24:04 EAT; 4s ago
> >      Docs: man:systemd-sysv-generator(8)
> >   Process: 694 ExecStop=/etc/init.d/snmpd stop (code=exited,
> > status=0/SUCCESS)
> >   Process: 703 ExecStart=/etc/init.d/snmpd start (code=exited,
> > status=0/SUCCESS)
> >     Tasks: 1
> >    Memory: 4.3M
> >       CPU: 66ms
> >    CGroup: /system.slice/snmpd.service
> >            └─710 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I
> > -smux mteTrigger mteTriggerConf -p /run/snmpd.pid
> >
> > Jan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP agents...
> > Jan 09 08:24:04 vdns-50 snmpd[703]:  * Starting SNMP services:
> > Jan 09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.
> > Jan 09 08:24:04 vdns-50 snmpd[710]: NET-SNMP version 5.7.3
> > /
> >
> > Regards,
> > Sharone
> >
> >
> > On Wed, 8 Jan 2020 at 22:35, Steve Shipway <steve.shipway at smxemail.com
> > <mailto:steve.shipway at smxemail.com>> wrote:
> >
> >     On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
> >>     /# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.8072.1.3.2.4.1.2
> >>     iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 =
> >>     STRING: "Fatal: Unable to generate local temporary file in
> >>     directory '/var/run/pdns-recursor': Permission denied"/
> >
> >     A couple of thoughts here .  Either
> >     - SElinux is doing its magic and blocking - this should be logged in
> >     the syslog if so, or
> >     - Your SNMP is running with chroot enabled and
> >     /var/run/pdns-recursor doesn't exist in the chroot environment
> >     -  rec_control is trying to generate a tmp file as the snmp user so
> >     doesn't have write permission.
> >     - Your SNMP daemon is using a temporary file for the rec_control
> >     output which it is trying to put in /var/run/pdns-recursor
> >
> >     Being able to see your snmp daemon configuration would probably help
> >     with diagnosing this, so please post it here if possible.
> >
> >     Steve
> >
> >
> >     --
> >     *Steve Shipway | *Senior Email Systems Administrator
> >     *Phone:* +64 9 302 0515 *Fax:* +64 9 302 0518
> >     *Freephone:* 0800 SMX SMX (769 769)
> >     *SMX Limited:* Level 10, 19 Victoria Street West, Auckland, New
> Zealand
> >     *Web:* http://smxemail.com <http://smxemail.com/>
> >
> >     This email has been filtered by SMX. For more information
> >     visit smxemail.com <http://smxemail.com/>
> >     _______________________________________________
> >     Pdns-users mailing list
> >     Pdns-users at mailman.powerdns.com <mailto:
> Pdns-users at mailman.powerdns.com>
> >     https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
>
> --
> kind regards,
> Otto Moerbeek
> PowerDNS Developer
>
> Email: otto.moerbeek at open-xchange.com
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200110/379d7f5a/attachment-0001.htm>


More information about the Pdns-users mailing list