尝试运行命名为我自己的用户在Ubuntu框中,它无法读取named.conf文件:
named -d 9 -c named.conf -g 19-Aug-2015 11:33:10.698 starting BIND 9.9.5-3ubuntu0.4-Ubuntu -d 9 -c named.conf -g 19-Aug-2015 11:33:10.698 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 19-Aug-2015 11:33:10.698 ---------------------------------------------------- 19-Aug-2015 11:33:10.698 BIND 9 is maintained by Internet Systems Consortium, 19-Aug-2015 11:33:10.698 Inc. (ISC), a non-profit 501(c)(3) public-benefit 19-Aug-2015 11:33:10.698 corporation. Support and training for BIND 9 are 19-Aug-2015 11:33:10.698 available at https://www.isc.org/support 19-Aug-2015 11:33:10.698 ---------------------------------------------------- 19-Aug-2015 11:33:10.698 found 8 CPUs, using 8 worker threads 19-Aug-2015 11:33:10.698 using 8 UDP listeners per interface 19-Aug-2015 11:33:10.699 using up to 4096 sockets 19-Aug-2015 11:33:10.699 Registering DLZ_dlopen driver 19-Aug-2015 11:33:10.699 Registering SDLZ driver 'dlopen' 19-Aug-2015 11:33:10.699 Registering DLZ driver 'dlopen' 19-Aug-2015 11:33:10.700 decrement_reference: delete from rbt: 0x7fbd40eb6068 . 19-Aug-2015 11:33:10.703 loading configuration from '/tmp/name/named.conf' 19-Aug-2015 11:33:10.703 open: /tmp/name/named.conf: permission denied 19-Aug-2015 11:33:10.703 load_configuration: permission denied 19-Aug-2015 11:33:10.703 loading configuration: permission denied 19-Aug-2015 11:33:10.703 exiting (due to fatal error) 我打开了named.conf的权限:
drwxrwxrwx 2 don don 4096 Aug 19 11:31 ./ drwxrwxrwt 26 root root 118784 Aug 19 11:35 ../ -rwxrwxrwx 1 don don 387 Aug 19 11:33 named.conf*
我试着以root身份运行,结果如下:
sudo named -d 9 -c named.conf -g
操作系统是Ubuntu的:
uname -a Linux don-asus 3.16.0-46-generic #62~14.04.1-Ubuntu SMP Tue Aug 11 16:27:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
这一切工作正常OSX和另一个Ubuntu的盒子。 Linux上还有什么可以阻止访问打开文件?
编辑:
>sudo apparmor_status apparmor module is loaded. 24 profiles are loaded. 24 profiles are in enforce mode. /sbin/dhclient ...
所以 – 它看起来很活跃。
正如根据评论中的讨论发现的那样,发现AppArmor被加载(基于sudo apparmor_status输出)。
当AppArmor被加载并且具有强制模式的规则时,它可以执行诸如拒绝特定进程访问除特定path之外的任何东西。
我认为在这里发生的事情是它有BIND规则,它确保named进程只能访问像/etc/bind , /var/cache/bind , /var/lib/bind (默认的Debian / Ubuntu的BINDconfiguration使用)。
如果你想完全禁用configuration文件, Ubuntu的帮助Wiki AppArmor页面详细说明如何禁用configuration文件:
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name
或者,您可以调整BINDconfiguration文件的规则并重新加载它:
sudo apparmor_parser -r /etc/apparmor.d/profile.name