Ownership of /var/named Changes on Reboot.

krad kraduk at googlemail.com
Thu Jun 17 08:37:06 UTC 2010 

On 17 June 2010 08:47, Matthew Seaman <m.seaman at infracaninophile.co.uk>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 17/06/2010 04:21:34, Peter Boosten wrote:
> > On 17-6-2010 4:58, Robert Huff wrote:
> >>
> >> Martin McCormick writes:
> >>
> >>>     Is there a way to keep /var/named owned by bind across
> >>>  reboots?
> >>
> >>      Yes.  I had this happen for a long time.
> >>      The bad news is it had been years since I fixed it, and I no
> >> longer remember exactly what I did.  I will keep trying.
> >>
> >>
> >
> > Permissions are set using the mtree files:
> >
> > /etc/mtree/
> >
>
> Furthermore, the default setup *is* for named to run as an unprivileged
> process.  The setup is very carefully designed so that named doesn't
> have write permission on the directory where its configuration files are
> stored, or on directories that contain static zone files, but it does
> have write permission on directories it uses for zone files AXFR'd from
> a master, or zone files maintained using dynamic DNS.
>
> This used to generate a warning from bind about not having a writable
> current working directory -- which was basically harmless and could be
> ignored.  However recent changes mean bind needs a writable working
> directory, so the latest layouts include /var/named/etc/namedb/working
>
>        Cheers,
>
>        Matthew
>
> - --
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                  Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf
> KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI
> =LaxU
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

so the logical extension to this is by changing the ownership of the
directory to bind, you are making the configuration directory writeable, and
therefore you are actually lowering security.

More information about the freebsd-questions mailing list