cross-posted from: https://infosec.pub/post/15386345

Hi everyone,

This is my CONTAINERFILE for Bind9:

FROM debian

ENV LC_ALL C.UTF-8

# Update and upgrade system
RUN apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y

# Install BIND 9 and sudo (for debugging if needed)
RUN apt-get install -y bind9 bind9-dnsutils bind9-libs bind9-utils sudo

# Configure permissions for BIND directories
RUN mkdir -p /var/cache/bind /var/lib/bind /var/log/bind
RUN chown -R bind:bind /var/cache/bind /var/lib/bind /var/log/bind
RUN chmod 664 /var/cache/bind /var/lib/bind /var/log/bind
RUN chmod -R 664 /var/cache/bind /var/lib/bind /var/log/bind

# Create and configure log files
RUN touch /var/log/bind/default.log /var/log/bind/update_debug.log /var/log/bind/security_info.log /var/log/bind/bind.log
RUN chown -R bind:bind /var/log/bind
RUN chmod 644 /var/log/bind/*.log

# Define volumes
VOLUME ["/etc/bind", "/var/cache/bind", "/var/lib/bind", "/var/log/bind"]

# Set the entrypoint to the named executable
ENTRYPOINT ["/usr/sbin/named"]

# Set the default command arguments for the named executable
CMD ["-g"]

I keep getting this error when I run it with podman:

26-Jul-2024 03:18:21.328 loading configuration from '/etc/bind/named.conf'
26-Jul-2024 03:18:21.328 directory '/var/cache/bind' is not writable
26-Jul-2024 03:18:21.332 /etc/bind/named.conf.options:2: parsing failed: permission denied

As you can see from the CONTAINERFILE, the bind user should be able to read and write to /var/cache/bind but for some reason it doesn’t.

I have been at this for a while and I’m at my wits end. Your help is appreciated!

  • poVoq@slrpnk.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    Make sure the user “bind” and whatever the owner of that folder outside of the container is, have the same user number.

    • Findmysec@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Thank you, I’ll keep that in mind. I didn’t actually mount volumes into the container yet, the problem was solved upon changing to chmod 755

  • pcouy@lemmy.pierre-couy.fr
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    Is named actually running as the bind user inside the container ? Maybe a USER bind line below the RUN lines will help.

    • Findmysec@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      It should technically do that already, but as extra insurance I’m running it with the -u bind flag in ENTRYPOINT. The problem was solved with a chmod 755