| 1 |
On Thu, 7 Mar 2002, Todd Punderson wrote: |
| 2 |
|
| 3 |
> I did a update --world tonight and I also ran into this. It's probably |
| 4 |
> destined for bugzilla, but I wanted to ask first. |
| 5 |
> |
| 6 |
> After updating to bind-9.1.3-r7 I had a problem getting it to run. I |
| 7 |
> determined the problem to be the following. The named startup script |
| 8 |
> executes this: start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -n 1 |
| 9 |
> |
| 10 |
> Since named switches to uid 'named' it doesn't have access to write to |
| 11 |
> /var/run/named.pid However, I noticed that there is now a |
| 12 |
> /var/run/named dir that is owned by named.named...This is all well and |
| 13 |
> good but the named binary doesn't try to write it's pidfile to that |
| 14 |
> directory and bombs. I looked in the ebuild and the bind documentation |
| 15 |
> and there is a way to configure it to point to another directory: on the |
| 16 |
> configure script it needs --localstatedir=/var/run/named instead of |
| 17 |
> --localstatedir=/var but this also means that the /etc/init.d/named |
| 18 |
> script needs to be edited to point to /var/run/named/run/named.pid for |
| 19 |
> the stop portion of it. Maybe the extra 'run' in there could be edited |
| 20 |
> out with by modifing the bind source, I didn't dig that far, I just need |
| 21 |
> it running. :) |
| 22 |
> Also /var/bind needs to be owned by named.named in order for the zone |
| 23 |
> files to be read (since I did an upgrade, this bit me, it may not on a |
| 24 |
> new install) |
| 25 |
> |
| 26 |
|
| 27 |
The reason for the change was that bind used to run as root |
| 28 |
(inadvertently). It is not safe (or necessary to do so) to run named as |
| 29 |
root. For named to run as a different user (that's what the -u option |
| 30 |
does) it needs to be able to write it's pid file. This location can be |
| 31 |
specified in the config file. This option was included there too. It is |
| 32 |
not necessary / not safe for the /var/bind dir to be owned by named. Named |
| 33 |
does need to be able to read it though. Only if you want to use dynamic |
| 34 |
updates, the files to which you want bind to have access to must be owned |
| 35 |
by named. Be very careful with dynamic update though, as it might |
| 36 |
compromise your server (and with it possibly your network) |
| 37 |
|
| 38 |
Paul |
| 39 |
|
| 40 |
-- |
| 41 |
___ |
| 42 |
/~~~\ | Paul de Vrieze |
| 43 |
| O-O | | Student of information management and technology |
| 44 |
| _ | | Mail: Paul@××××××××.net |
| 45 |
\___/ | Homepage: http://www.devrieze.net |
Archives