Open thantzsche opened 2 years ago
The issue here is pdnsutil will create files on its own, so either you need to run pdnsutil as the pdns user or accept the fact that the first time you create LMDB files with pdnsutil you need to chown them manually. Or exclusively use the API to create new zones.
Just for my understanding (please correct me if i'm wrong about that): Fact: pdns.conf contains the option "setuid=pdns". Is it always pdnsutil that creates at the first start the first lmdb file (in my case dns00.lmdb) or is this first step managed by the auth daemon? (I checked: the daemon runs effectively with uid=pdns) pdnsutil needs to know where to create a new zone (and possibly a new lmdb file), so it needs to look into pdns.conf to find out the path given with "lmdb-filename=", right? Should it not also process the option "setuid= " to set the current owner for the lmdb files?
Should it not also process the option "setuid= " to set the current owner for the lmdb files?
This is a very good question. I've marked this ticket as an enhancement request so we can think about this.
This is #3386, basically?
This is #3386, basically?
I would say so. Since pdnsutil is an easy and powerful cli-zonemanager for pdns, it should take care of the correct access rights the daemon is effectively running with or else it is rendering the whole system unreliable (in my case with existent but inaccessible zones and files of the LMDB backend).
Short description
When configured with LMDB backend all created lmdb files have initially the owner root instead of pdns and therefore the auth server is at the first start exiting and restarting until the files get manually changed to owner pdns. Adding a zone with "pdnsutil create-zone" creates a new lmdb file with owner root again, which has also to be corrected manually to work.
Environment
Steps to reproduce
/usr/local/etc/rc.d/pdns start
ls -l /var/db/pdns/
chown pdns /var/db/pdns/*
pdnsutil create-zone check.prv
ls -l /var/db/pdns/
chown pdns /var/db/pdns/*
Expected behaviour
All created lmdb files should have the owner pdns.
Actual behaviour
After step (2) the pdns daemon is filling the log with
This ends only after correcting the file owner.
Step (5): after the creation of a zone with pdnsutil, a new lmdb file gets the owner root again and every 5 minutes the log shows:
STL Exception while updating zone cache: Unable to load database file /var/db/pdns/dns00.lmdb-1: Permission denied
Other information
The same permission problem occurs when the Authoritative is set up as secondary with LMDB backend.