1 |
On Fri, Mar 15, 2002 at 11:30:00AM +0100, gentoo-user@××××××××.net wrote: |
2 |
> On Thu, 7 Mar 2002, Todd Punderson wrote: |
3 |
> |
4 |
> > Also /var/bind needs to be owned by named.named in order for the zone |
5 |
> > files to be read (since I did an upgrade, this bit me, it may not on a |
6 |
> > new install) |
7 |
> > |
8 |
> |
9 |
> The reason for the change was that bind used to run as root |
10 |
> (inadvertently). It is not safe (or necessary to do so) to run named as |
11 |
> root. For named to run as a different user (that's what the -u option |
12 |
> does) it needs to be able to write it's pid file. This location can be |
13 |
> specified in the config file. This option was included there too. It is |
14 |
> not necessary / not safe for the /var/bind dir to be owned by named. Named |
15 |
> does need to be able to read it though. Only if you want to use dynamic |
16 |
> updates, the files to which you want bind to have access to must be owned |
17 |
> by named. Be very careful with dynamic update though, as it might |
18 |
> compromise your server (and with it possibly your network) |
19 |
> |
20 |
|
21 |
I am by god no bind expert, only forced by local circumstances |
22 |
to run named. The issue of the .pid file raised by the original poster |
23 |
is easily solved by adding a pid-file option to your |
24 |
/etc/bind/named.conf |
25 |
|
26 |
options { |
27 |
directory "/var/bind"; |
28 |
pid-file "/var/run/named/named.pid"; |
29 |
}; ^^^^^^^^^^^^^^^^^^^^^^^^^^ |
30 |
|
31 |
However, the ownership of /var/bind is more crucial. I don't think |
32 |
the problem is with reading if you have standard rw-r--r-- permissions |
33 |
on zone files; i.e. create files with a 022 umask. |
34 |
However, a secondary name server (which I need) needs to be able to |
35 |
write transferred zonefiles somewhere, and with the above directory |
36 |
option these end up in /var/bind; failing if /var/bind isn't owned |
37 |
by named.named. I guess I could put them into /var/bind/sec and |
38 |
make this directory writable to named.named. However, where is |
39 |
the security problem of /var/bind being owned by named.named in the |
40 |
first place? Further, it would seem that bind/named drops all privileges |
41 |
anyways, since starting named without -u fails to write a .pid file |
42 |
at all (permission denied), which is not consistent with root |
43 |
permissions. |
44 |
|
45 |
[Sorry, I come from the bind 8.* world and hope to get by with |
46 |
using my old config files...] |
47 |
|
48 |
HTH, and thanks for any clarifications (my gentoo bind9 server should |
49 |
go into production fairly soon :-) |
50 |
|
51 |
Stefan |