[Bug 236510] [NEW] default apparmor setting prevents bind from running under chroot

Launchpad Bug Tracker 236510 at bugs.launchpad.net
Mon Oct 26 15:26:52 GMT 2009

You have been subscribed to a public bug:

Binary package hint: apparmor

Easily reproducible.

1) Fresh minimal install of LTS 8.04 Hardy
2) Install bind9, verify that permissions ARE correct
3) Create the chroot (scroll down to "DNS Server" section of http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p4 to copy/paste this setup easily )
3) Edit /etc/default/bind9 changing this line to this:
OPTIONS="-u bind -t /var/lib/named"
4) Try to start bind.  It will complain thusly to syslog:

none:0: open: /etc/bind/named.conf: permission denied
loading configuration: permission denied
exiting (due to fatal error)

To make bind work:
/etc/init.d/apparmor stop
/etc/init.d/bind9 start

To make it fail:
/etc/init.d/apparmor stop
/etc/init.d/bind9 restart

Unable to find sufficient documentation on apparmor to discover a
workaround, that would be satisfactory as well though the next point
release should make this behavior a default; for many years and for many
reasons most servers have run bind in a chroot jail.

** Affects: bind9 (Ubuntu)
     Importance: Undecided
         Status: New

default apparmor setting prevents bind from running under chroot
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in ubuntu.

More information about the Ubuntu-server-bugs mailing list