)(*&)(*&)(*&)(*& named

Paul Schmehl pauls at utdallas.edu
Wed Feb 1 18:39:30 PST 2006


--On February 2, 2006 7:04:06 AM +0800 Daniel <jahilliya at gmail.com> wrote:
>
> The biggest difference between running as root and the startup script
> are the command line arguments given in either case.
>
> Script flags: -u bind -t /var/named
> CLI flags: -c /usr/local/etc/named.conf -u root
>
Yes, I know.  I'm starting the daemon as root because it can't write to the 
pidfile when it's started as bind.

> The man page will show you that the -t flag indicates you want named
> to chroot (recommended practice). It also is running as bind and not
> root.
>
Yes, I know that as well.

> Check out /var/named and your named config file. You will probably
> find that /var/named/named.pid is not writable by the user bind.
>
It's writeable as bind.

ls -lsa /var/named/
total 19
2 drwxr-xr-x   5 root  wheel   512 Feb  1 20:30 .
2 drwxr-xr-x  20 root  wheel   512 Jan 27 17:42 ..
2 -rw-r--r--   1 bind  bind    212 Feb  1 20:15 127.0.0
1 dr-xr-xr-x   4 root  wheel   512 Feb  1 20:33 dev
2 drwxr-xr-x   3 root  wheel   512 Feb  1 20:11 etc
2 -rw-r--r--   1 bind  bind    580 Feb  1 20:14 friendshipforest.zone
2 -r--r--r--   1 bind  bind   1511 Feb  1 20:14 named.ca
2 -rw-r--r--   1 bind  bind      6 Feb  1 20:20 named.pid
2 -rw-r--r--   1 bind  bind    516 Feb  1 20:14 stovebolt.zone
2 drwxr-xr-x   6 root  wheel   512 Feb  1 20:11 var

I removed /var/named and let the script recreate it.  Now it can't find 
named.conf

> You may also find that the named config isn't specifying a full path
> to be used within the chroot directory (/var/named).
>
options {
        directory "/var/named";
        allow-transfer{
                none;
        };
        allow-query{
                any;
        };
        allow-recursion{
                local-info;
        };
        listen-on{
                127.0.0.1;
                66.221.101.248;
        };
        version "nice try";
        auth-nxdomain yes;
#       pid-file "named.pid";
        blackhole{
                "bogusnet";
        };
        query-source address * port 53;
};

> Below is the config for my named that runs chrooted.
>         directory       "/";
>         pid-file        "/named.pid";
>         dump-file       "/dump/named_dump.db";
>         statistics-file "/stats/named.stats";
>
> Yours may look something like:
>         directory       "/var/named/";
>         pid-file        "/var/named/named.pid";
>         dump-file       "/var/named/dump/named_dump.db";
>         statistics-file "/etc/named/stats/named.stats";
>
And where do the zone files go?  Where does the rndc.key file go?  Where 
does the named.conf file go?

> The paths in named.conf need to be relative to the chroot, not the base.
>
I'm not sure what you mean here.  The chroot directory is /var/named.  The 
directory specified in named.conf is /var/named.  To what are you referring 
when you say "the paths"?
>>
>> When I try to start named using rndc, I get this:
>>
>> rndc start
>> rndc: connect failed: connection refused
>
> rndc does not have a command "start"
>
Missed that.

> restart is also not yet implemented.
>
Knew that.
>
> Writing your own startup scripts is unnecessary, especially for
> something that already has one (or in this case, maybe two, /etc/rc.d
> and /usr/local/etc/rc.d)
>
Except for one niggling problem.  It doesn't work.  Due to my ignorance, 
I'm sure, but it doesn't' work.

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/


More information about the freebsd-questions mailing list