[solved] dnsmasq: cannot open log : Permission denied

Sving1024 · 2024-08-27 11:51:43

Hello. I want to change the location of the log file to /var/log/dnsmasq/dnsmasq.log But received a Permission denied Error. The ways on the web to solve this do not work.

I added the following lines to/etc/dnsmasq.conf

log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log

And create such a directory:

$ ls -al /var/log | grep dnsmasq
drwxrwxr-x   2 dnsmasq root                4096 Aug 26 21:08 dnsmasq
-rw-rw----   1 dnsmasq root            18424617 Aug 27 19:22 dnsmasq.log

However, when I tried to run dnsmasq:

$ sudo dnsmasq -k --enable-dbus --user=dnsmasq --pid-file            

dnsmasq: cannot open log /var/log/dnsmasq/dnsmasq.log: Permission denied

This happens the first launching dnsmasq after changing the config and the /var/log/dnsmasq/ is still empty after that.

The following commands don't work either.

$ chown dnsmasq:root /var/log/dnsmasq/
$ chown root:root /var/log/dnsmasq/
$ chown dnsmasq:dnsmasq /var/log/dnsmasq
$ chmod 777 /var/log/dnsmasq

Last edited by Sving1024 (2024-08-28 15:08:54)

seth · 2024-08-27 13:10:48

ls -laR /var/log/dnsmasq/

Sving1024 · 2024-08-27 15:02:11

seth wrote:

ls -laR /var/log/dnsmasq/

$ ls -laR /var/log/dnsmasq/

/var/log/dnsmasq/:
total 8
drwxrwxr-x  2 dnsmasq root 4096 Aug 26 21:08 .
drwxr-xr-x 15 root    root 4096 Aug 27 18:17 ..

dnsmasq will create the log file if the file doesn't exist.
btw, creating the log file manually like this

$ ls -laR /var/log/dnsmasq/

/var/log/dnsmasq/:
total 8
drwxrwxr-x  2 dnsmasq root 4096 Aug 27 22:49 .
drwxr-xr-x 15 root    root 4096 Aug 27 18:17 ..
-rw-rw-r--  1 dnsmasq root    0 Aug 27 22:49 dnsmasq.log

does not help either.

Last edited by Sving1024 (2024-08-27 15:03:46)

seth · 2024-08-27 19:28:47

I had hoped for the file existing and blocking the permissions.
It should™ not matter, but what if you change the group of the directory and "--group dnsmasq"?
Can dnsmasq transit to the path?

stat /var /var/log
sudo -u dnsmasq touch /var/log/dnsmasq/wtf

Sving1024 · 2024-08-28 05:22:29

Sorry about replying so late to you.
I changed the group and run with "--group=dnsmasq", but it still does not work.

$ ls -la /var/log/ | grep dnsmasq 
drwxrwxr-x   2 dnsmasq dnsmasq             4096 Aug 28 13:03 dnsmasq
-rw-rw----   1 dnsmasq root            34441281 Aug 28 13:01 dnsmasq.log
$ sudo dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --group=dnsmasq

dnsmasq: cannot open log /var/log/dnsmasq/dnsmasq.log: Permission denied

$ stat /var /var/log
  File: /var
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: 254,0	Inode: 5242881     Links: 13
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-08-28 12:58:00.973648963 +0800
Modify: 2024-08-28 12:49:51.762348791 +0800
Change: 2024-08-28 12:49:51.762348791 +0800
 Birth: 2024-06-09 12:23:58.066254202 +0800
  File: /var/log
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: 254,0	Inode: 5242887     Links: 15
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-08-27 19:10:58.723800483 +0800
Modify: 2024-08-27 18:17:59.081593553 +0800
Change: 2024-08-27 18:17:59.081593553 +0800
 Birth: 2024-06-09 12:23:58.066254202 +0800

$ sudo -u dnsmasq touch /var/log/dnsmasq/dnsmasq.log
$ ls -laR /var/log/dnsmasq/      

/var/log/dnsmasq/:
total 8
drwxrwxr-x  2 dnsmasq dnsmasq 4096 Aug 28 13:11 .
drwxr-xr-x 15 root    root    4096 Aug 27 18:17 ..
-rw-r--r--  1 dnsmasq dnsmasq    0 Aug 28 13:11 dnsmasq.log
$ sudo dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --group=dnsmasq

dnsmasq: cannot open log /var/log/dnsmasq/dnsmasq.log: Permission denied

Last edited by Sving1024 (2024-08-28 05:22:51)

seth · 2024-08-28 06:30:04

Time to draw the broadsword.

sudo -i # you cannot sudo strace, we need a root shell
strace -tt -f -o /tmp/dnsmasq.strace dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --group=dnsmasq
chmod ugo+rw /tmp/dnsmasq.strace
exit
cat /tmp/dnsmasq.strace | curl -F 'file=@-' 0x0.st

Sving1024 · 2024-08-28 08:00:55

https://0x0.st/Xt3i.txt

seth · 2024-08-28 12:11:49

dnsmasq queries and fails /run/systemd/userdb, queries the proces capabilities but then doesn't seem to set the UID at all.
=> make the path ugo+rwx, remove the existing log, run dnsmasq and see what ownership it ends up with…

Sving1024 · 2024-08-28 13:28:03

$ sudo chmod ugo+rwx /run/systemd/userdb /run /run/systemd               
$ sudo rm -rf /var/log/dnsmasq/dnsmasq.log                
$ sudo rm -rf /var/log/dnsmasq.log        
$ sudo dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --group=dnsmasq

dnsmasq: cannot open log /var/log/dnsmasq/dnsmasq.log: Permission denied
$ ls -la | grep userdb             
drwxrwxrwx  2 root             root              120 Aug 28 20:57 userdb
$ ls -la /run/systemd/userdb/           
total 0
drwxrwxrwx  2 root root 120 Aug 28 20:57 .
drwxrwxrwx 23 root root 640 Aug 28 21:25 ..
lrwxrwxrwx  1 root root  42 Aug 28 20:57 io.systemd.DropIn -> /run/systemd/userdb/io.systemd.Multiplexer
srw-rw-rw-  1 root root   0 Aug 28 20:57 io.systemd.DynamicUser
srw-rw-rw-  1 root root   0 Aug 28 20:57 io.systemd.Multiplexer
lrwxrwxrwx  1 root root  42 Aug 28 20:57 io.systemd.NameServiceSwitch -> /run/systemd/userdb/io.systemd.Multiplexer

seth · 2024-08-28 13:30:41

No "sudo chmod ugo+rwx /var/log/dnsmasq"
The entire chain of /run/systemd/userdb is supposed to be 755, undo that (or reboot, it's a tmpfs)

Sving1024 · 2024-08-28 13:41:53

In fact, /var/log/dnsmasq already has the 777 permission.
Anyway, i tried it again and here's the output.

$ sudo chmod ugo+rwx /var/log/dnsmasq 
[sudo] password for Sving1024: 
$ sudo chmod 755 /run /run/systemd /run/systemd/userdb 
$ sudo systemctl stop dnsmasq.service                  
$ sudo vim /etc/dnsmasq.conf         
$ sudo rm -rf /var/log/dnsmasq/dnsmasq.log
$ sudo dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --group=dnsmasq

dnsmasq: cannot open log /var/log/dnsmasq/dnsmasq.log: Permission denied
$ ls -la /var/log/ | grep dnsmasq
drwxrwxrwx   2 dnsmasq dnsmasq            4096 Aug 28 21:09 dnsmasq

seth · 2024-08-28 14:10:46

I've tried to repiclate this and even w/ dnsmasq:dnsmasq/700 on /var/log/dnsmasq/ there's no problem.
Notably, though

490501 16:02:09.674487 chdir("/")       = 0
490501 16:02:09.674621 openat(AT_FDCWD, "/var/log/dnsmasq/dnsmasq.log", O_WRONLY|O_CREAT|O_APPEND, 0640) = 12
490501 16:02:09.674775 getgid()         = 0
490501 16:02:09.674890 fstat(12, {st_mode=S_IFREG|0660, st_size=701, ...}) = 0
490501 16:02:09.675066 fchown(12, 982, -1) = 0
490501 16:02:09.675218 openat(AT_FDCWD, "/dev/null", O_RDWR) = 13
490501 16:02:09.675361 dup2(13, 1)      = 1
490501 16:02:09.675483 dup2(13, 2)      = 2
490501 16:02:09.675662 dup2(13, 0)      = 0
490501 16:02:09.675780 close(13)        = 0
490501 16:02:09.675897 getuid()         = 0
490501 16:02:09.676015 setgroups(0, []) = 0
490501 16:02:09.676178 setgid(982)      = 0
490501 16:02:09.676299 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_RAW, permitted=1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_RAW, inheritable=0}) = 0
490501 16:02:09.676442 prctl(PR_SET_KEEPCAPS, 1) = 0
490501 16:02:09.676564 setuid(982)      = 0
490501 16:02:09.676694 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_RAW, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_RAW, inheritable=0}) = 0

The GID/UID change happens *after* the log is opened, so the restriction is on the root.

Do you harden the system in any way shape or form? Firejail? SE Linux?
Are the log entries the only change you have to the dnsmasq.conf?

Sving1024 · 2024-08-28 14:15:10

Oh, I remembered that. I recently enabled AppArmor for my system. Log entries are the only change I have.

seth · 2024-08-28 14:16:47

I recently enabled AppArmor for my system.

I bet your right arm it's gonna work if you disable it - then you'll have to refine your apparmor config

Sving1024 · 2024-08-28 14:17:36

Seems i didnt give read permission for dnsmasq in the config file of apparmor.

Sving1024 · 2024-08-28 14:20:31

After adding the line /var/log/dnsmasq/dnsmasq*.log w, to /etc/apparmor.d/usr.sbin.dnsmasq, the logging works well.

Sving1024 · 2024-08-28 14:21:11

Thanks a lot!

seth · 2024-08-28 14:40:42

\o/
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Sving1024 · 2024-08-28 15:11:18

ok. "[solved]" is added.

Arch Linux

#1 2024-08-27 11:51:43

[solved] dnsmasq: cannot open log : Permission denied

#2 2024-08-27 13:10:48

Re: [solved] dnsmasq: cannot open log : Permission denied

#3 2024-08-27 15:02:11

Re: [solved] dnsmasq: cannot open log : Permission denied

#4 2024-08-27 19:28:47

Re: [solved] dnsmasq: cannot open log : Permission denied

#5 2024-08-28 05:22:29

Re: [solved] dnsmasq: cannot open log : Permission denied

#6 2024-08-28 06:30:04

Re: [solved] dnsmasq: cannot open log : Permission denied

#7 2024-08-28 08:00:55

Re: [solved] dnsmasq: cannot open log : Permission denied

#8 2024-08-28 12:11:49

Re: [solved] dnsmasq: cannot open log : Permission denied

#9 2024-08-28 13:28:03

Re: [solved] dnsmasq: cannot open log : Permission denied

#10 2024-08-28 13:30:41

Re: [solved] dnsmasq: cannot open log : Permission denied

#11 2024-08-28 13:41:53

Re: [solved] dnsmasq: cannot open log : Permission denied

#12 2024-08-28 14:10:46

Re: [solved] dnsmasq: cannot open log : Permission denied

#13 2024-08-28 14:15:10

Re: [solved] dnsmasq: cannot open log : Permission denied

#14 2024-08-28 14:16:47

Re: [solved] dnsmasq: cannot open log : Permission denied

#15 2024-08-28 14:17:36

Re: [solved] dnsmasq: cannot open log : Permission denied

#16 2024-08-28 14:20:31

Re: [solved] dnsmasq: cannot open log : Permission denied

#17 2024-08-28 14:21:11

Re: [solved] dnsmasq: cannot open log : Permission denied

#18 2024-08-28 14:40:42

Re: [solved] dnsmasq: cannot open log : Permission denied

#19 2024-08-28 15:11:18

Re: [solved] dnsmasq: cannot open log : Permission denied

Board footer