permissions on /etc/namedb
Ian Smith
smithi at nimnet.asn.au
Sun Aug 3 13:05:44 UTC 2008
On Sun, 3 Aug 2008, Eugene Grosbein wrote:
> I need /etc/namedb to be owned by root:bind and have permissions 01775,
> so bind may write to it but may not overwrite files that belong to root
> here, and I made it so. Suprise!
>
> # /etc/rc.d/named restart
> Stopping named.
> Waiting for PIDS: 1892.
> etc/namedb changed
> gid expected 0 found 53 modified
> permissions expected 0755 found 01775 modified
> Starting named.
Are you running /etc/namedb linked to chroot'd /var/named/etc/namedb?
If so, that'd be mtree restoring perms from /etc/mtree/BIND.chroot.dist
I couldn't get rndc trace running to named.run for ages, same problem:
bind user couldn't write to (default) /var/named/etc/namedb/named.run
unless it already existed, owned by bind. Added to /etc/rc.d/named:
touch /var/named/etc/namedb/named.run
chown bind /var/named/etc/namedb/named.run # bind:wheel 644
and now trace and querylog are happy, so I am. Running latest 5-STABLE
here but I see no changes in 7 or HEAD cvs related to this. Suppose I
should do up a PR with a patch, unless someone knows a better way?
I don't know if this helps with whatever file/s you want bind to write,
or whether there are other files bind writes needing similar treatment.
> I dislike it very much when a system thinks it knows better what user needs.
> Also, I do not want to move a place where bind writes its files to another
> location just because system does not want it to write here.
> Why was this done such way, do I miss something?
I'm usually glad that FreeBSD's bind setup tends to paranoia :)
cheers, Ian
More information about the freebsd-net
mailing list