From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 19 Apr 2021 09:39:10 +0000 (+0200)
Subject: auth faq: document a ProtectSystem=full implication
X-Git-Tag: auth-4.5.0-beta1~28^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dba6837f52b419fda1897e8359c918f0845990c3;p=thirdparty%2Fpdns.git

auth faq: document a ProtectSystem=full implication
---

diff --git a/docs/appendices/FAQ.rst b/docs/appendices/FAQ.rst
index a7a0ac2e5c..da10d965ce 100644
--- a/docs/appendices/FAQ.rst
+++ b/docs/appendices/FAQ.rst
@@ -72,6 +72,13 @@ Linux Netfilter says your conntrack table is full?
 Thats a common problem with Netfilter Conntracking and DNS Servers, just tune your kernel variable (``/etc/sysctl.conf``) ``net.ipv4.netfilter.ip_conntrack_max`` up accordingly.
 Try setting it for a million if you don't mind spending some MB of RAM on it for example.
 
+I get an error about writing to /etc
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This may look something like "unable to open temporary zonefile '/etc/powerdns/zones/example.com.<random number>'".
+Our systemd units enable ``ProtectSystem=full`` by default, which disallows writes to ``/etc`` and ``/usr``, among other places.
+Either move your zone files to a safer place (``/var/lib/powerdns`` is a popular choice) or change the systemd protection settings.
+
 Backends
 --------