1 |
On Thu, 7 Mar 2002, Todd Punderson wrote: |
2 |
|
3 |
> I did a update --world tonight and I also ran into this. It's probably |
4 |
> destined for bugzilla, but I wanted to ask first. |
5 |
> |
6 |
> After updating to bind-9.1.3-r7 I had a problem getting it to run. I |
7 |
> determined the problem to be the following. The named startup script |
8 |
> executes this: start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -n 1 |
9 |
> |
10 |
> Since named switches to uid 'named' it doesn't have access to write to |
11 |
> /var/run/named.pid However, I noticed that there is now a |
12 |
> /var/run/named dir that is owned by named.named...This is all well and |
13 |
> good but the named binary doesn't try to write it's pidfile to that |
14 |
> directory and bombs. I looked in the ebuild and the bind documentation |
15 |
> and there is a way to configure it to point to another directory: on the |
16 |
> configure script it needs --localstatedir=/var/run/named instead of |
17 |
> --localstatedir=/var but this also means that the /etc/init.d/named |
18 |
> script needs to be edited to point to /var/run/named/run/named.pid for |
19 |
> the stop portion of it. Maybe the extra 'run' in there could be edited |
20 |
> out with by modifing the bind source, I didn't dig that far, I just need |
21 |
> it running. :) |
22 |
> Also /var/bind needs to be owned by named.named in order for the zone |
23 |
> files to be read (since I did an upgrade, this bit me, it may not on a |
24 |
> new install) |
25 |
> |
26 |
|
27 |
The reason for the change was that bind used to run as root |
28 |
(inadvertently). It is not safe (or necessary to do so) to run named as |
29 |
root. For named to run as a different user (that's what the -u option |
30 |
does) it needs to be able to write it's pid file. This location can be |
31 |
specified in the config file. This option was included there too. It is |
32 |
not necessary / not safe for the /var/bind dir to be owned by named. Named |
33 |
does need to be able to read it though. Only if you want to use dynamic |
34 |
updates, the files to which you want bind to have access to must be owned |
35 |
by named. Be very careful with dynamic update though, as it might |
36 |
compromise your server (and with it possibly your network) |
37 |
|
38 |
Paul |
39 |
|
40 |
-- |
41 |
___ |
42 |
/~~~\ | Paul de Vrieze |
43 |
| O-O | | Student of information management and technology |
44 |
| _ | | Mail: Paul@××××××××.net |
45 |
\___/ | Homepage: http://www.devrieze.net |