| 1 |
On Fri, Mar 15, 2002 at 11:30:00AM +0100, gentoo-user@××××××××.net wrote: |
| 2 |
> On Thu, 7 Mar 2002, Todd Punderson wrote: |
| 3 |
> |
| 4 |
> > Also /var/bind needs to be owned by named.named in order for the zone |
| 5 |
> > files to be read (since I did an upgrade, this bit me, it may not on a |
| 6 |
> > new install) |
| 7 |
> > |
| 8 |
> |
| 9 |
> The reason for the change was that bind used to run as root |
| 10 |
> (inadvertently). It is not safe (or necessary to do so) to run named as |
| 11 |
> root. For named to run as a different user (that's what the -u option |
| 12 |
> does) it needs to be able to write it's pid file. This location can be |
| 13 |
> specified in the config file. This option was included there too. It is |
| 14 |
> not necessary / not safe for the /var/bind dir to be owned by named. Named |
| 15 |
> does need to be able to read it though. Only if you want to use dynamic |
| 16 |
> updates, the files to which you want bind to have access to must be owned |
| 17 |
> by named. Be very careful with dynamic update though, as it might |
| 18 |
> compromise your server (and with it possibly your network) |
| 19 |
> |
| 20 |
|
| 21 |
I am by god no bind expert, only forced by local circumstances |
| 22 |
to run named. The issue of the .pid file raised by the original poster |
| 23 |
is easily solved by adding a pid-file option to your |
| 24 |
/etc/bind/named.conf |
| 25 |
|
| 26 |
options { |
| 27 |
directory "/var/bind"; |
| 28 |
pid-file "/var/run/named/named.pid"; |
| 29 |
}; ^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 30 |
|
| 31 |
However, the ownership of /var/bind is more crucial. I don't think |
| 32 |
the problem is with reading if you have standard rw-r--r-- permissions |
| 33 |
on zone files; i.e. create files with a 022 umask. |
| 34 |
However, a secondary name server (which I need) needs to be able to |
| 35 |
write transferred zonefiles somewhere, and with the above directory |
| 36 |
option these end up in /var/bind; failing if /var/bind isn't owned |
| 37 |
by named.named. I guess I could put them into /var/bind/sec and |
| 38 |
make this directory writable to named.named. However, where is |
| 39 |
the security problem of /var/bind being owned by named.named in the |
| 40 |
first place? Further, it would seem that bind/named drops all privileges |
| 41 |
anyways, since starting named without -u fails to write a .pid file |
| 42 |
at all (permission denied), which is not consistent with root |
| 43 |
permissions. |
| 44 |
|
| 45 |
[Sorry, I come from the bind 8.* world and hope to get by with |
| 46 |
using my old config files...] |
| 47 |
|
| 48 |
HTH, and thanks for any clarifications (my gentoo bind9 server should |
| 49 |
go into production fairly soon :-) |
| 50 |
|
| 51 |
Stefan |
Archives