permissions on /etc/namedb

Ian Smith smithi at nimnet.asn.au
Mon Aug 4 10:57:24 UTC 2008 

On Sun, 3 Aug 2008, Doug Barton wrote:
 > Eugene Grosbein wrote:
 > > On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote:
[..]
 > >>> Well, I just want bind be allowed to write to is working directory.
 > >> I think that your idea of "BIND's working directory" is probably 
 > >> flawed
 > > 
 > > That's not my idea. From /var/log/messages:
 > > 
 > > Aug  3 15:02:18 host named[657]: the working directory is not writable
 > 
 > That is a quaint reminder of a simpler time. It's far better nowadays 
 > to separate the idea of configuration directories and directories that 
 > named should write to. (One could easily make the argument that this 
 > division should have been enforced from the start, and personally I 
 > never liked having named dropping stuff all over my config directory, 
 > but I digress.)

In the olden days (bind 4) named.run, named.stats and named_dump.db were
all written to /var/tmp .. perhaps because it had the sticky bit set?

 > >> but if what you want is to make /etc/namedb writable by the 
 > >> bind user and have it persist from boot to boot someone else already 
 > >> told you how to do that, so good luck.
 > > 
 > > Sigh... I have to study mtree now.
 > 
 > If it takes you more than 5 minutes, give up. :)
 > 
 > > And for what reason? Just because the system thinks it knows better what user needs.
 > 
 > You previously agreed with me that the defaults should be appropriate 
 > for non-expert users, and I would still argue that they are.

With the notable exception of making standard functions rndc trace and
querylog work, writing to the default file named.run, which named wants
to write in 'the working directory'.  You'll have seen my solution to
that, touching named.run in case it doesn't exist then chown'ing it to
bind:wheel in /etc/rc.d/named, which I don't think endangers security. 

I've not been able to find another solution, and there's no equivalent
of dump-file and statistics-file for the trace/querylog file (that I
can find) but perhaps you know some way the directory to write this
file can be specified in named.conf?  Maybe to /var/named/var/log ?

 > Also, I'm not sure whether you've actually looked at the default 
 > named.conf or not, but the two most common files that someone would 
 > want to write are the dump and statistics files, and there are already 
 > suitable paths for those files provided, and the bind user can 
 > actually write to them by default. It would be trivial to expand those 
 > examples to other things that are of particular interest to you.

That's what I thought, but my extensive reading hasn't shown me how to
do that for named.run, so I'd appreciate a clue for a better solution.

cheers, Ian

More information about the freebsd-net mailing list