named cannot open /dev/random

[active]

Hi all, I've a problem on a Sparc Ultra30 with a chrooted bind-9.2.5-r4 installation.
When the server starts, it give me the error:
named[1343]: could not open entropy source /dev/random: permission denied

I tried to give to the user 'named' all privileges on the dev/ directory but nothing has changed.
I tought also it was a grsec problem, but with a clean kernel the problem persists.
The strange thing is that on a x86 machine with the same configuration of the sparc bind runs
without problems.
Although I've this error, the server seems to work fine (I read that the entropy is used only
in TSIG and dynamic updates).
Anyone got a solution for this situation?

My named.conf options are:

Code: Select all

options {
        directory "/var/bind";
        pid-file "/var/run/named.pid";
        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";

        listen-on { 192.168.10.10; };

        query-source address * port 53;

        notify yes;

        forward first;
        forwarders {
                62.149.128.2;   // dns.technorail.com.
                195.31.190.31;  // dnsca.tin.it.
        };

        blackhole { bogon; };
};

[wan-geek]

I hope you have found a solution to this by now (being several months later), ....but I am going to reply for the forum's completeness.

I would first do a search of the forums and check threads such as:
http://forums.gentoo.org/viewtopic-t-33 ... andom.html

As this forum implies, at the end of the emerge of bind there is a set of instructions for running an ebuild that will correct/complete the chroot environment. (I'm assuming you are trying to run a proper chroot'd bind..otherwise you could reach /dev/random outside the jail). [I will admit that I sometimes find myself re-emerging packages just to get the comments/instructions at the end of a build...they can be easy to overlook if you are building a number of packages at once]

(output omitted)
* The BIND ebuild now includes chroot support.
* If you like to run bind in chroot AND this is a new install OR
* your bind doesn't already run in chroot, simply run:
* `emerge --config '=net-dns/bind-9.3.2'`
* Before running the above command you might want to change the chroot
* dir in /etc/conf.d/named. Otherwise /chroot/dns will be used.

At any rate, setting up the chroot jail for bind to run is rather simple. (In the case of this reply, bind 9.3.2 is the most recent version installed via emerge.) Run the following command:

Code: Select all

emerge --config '=net-dns/bind-9.3.2'

and it will create the proper chroot environment for you.

Once that is complete, don't forget to edit /etc/conf.d/named to specify the location of the chroot

Code: Select all

CHROOT="/var/named"

to set the chroot to the ebuild environment.

Once all this is complete, I chown'd everything to named:named ...and you're good to go.

Hope this helps.

Cheers mate,
-Chris

[linuxbum]

Could this be that you are using udev not defs and the /dev/random is not created?

I don't use the named daemon on my x86 system using udev..

Bryan

[wan-geek]

Not a udev problem.

This is caused by the _chroot_ function. It is a very good idea to chroot these processes whenever possible. This limits the ability for a compromise to take over the entire machine as easily.

Since the process is CHange ROOTing to a different location within the filesystem, anything in /dev won't even exist unless it is setup first.

If you recall, even for a gentoo install, you chroot to /mnt/gentoo (or wherever) and start building from there. Same concept.

Once the ebuild script is run, the proper chroot environment is pre-built FOR you. All one needs to do is copy in the zone data files and you're rockin.

Good Luck,
-Chris