Re: Experiences running named and rndc on 4.4 vs 4.3
--
Best Regards
My Chaos: https://n23.appspot.com
vi /etc/rc:
...
if [ X${named_flags} != XNO ]; then
if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
echo -n rndc-confgen: generating new shared secret...
if /usr/sbin/rndc-confgen -a -t /var/named /dev/null 21; then
chmod 0640 /var/named/etc/rndc.key /dev/null 21
echo done.
else
echo failed.
fi
fi
echo 'starting named'; named $named_flags
fi
...
On Thu, Nov 13, 2008 at 14:08, 23号 [EMAIL PROTECTED] wrote:
vi /etc/rc:
..
if [ X${named_flags} != XNO ]; then
if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
echo -n rndc-confgen: generating new shared secret...
if /usr/sbin/rndc-confgen -a -t /var/named /dev/null 21;
then
chmod 0640 /var/named/etc/rndc.key /dev/null 21
echo done.
else
echo failed.
fi
fi
echo 'starting named'; named $named_flags
fi
...
--
Best Regards
My Chaos: https://n23.appspot.com
On Wed, Nov 12, 2008 at 14:17, Woodchuck [EMAIL PROTECTED] wrote:
On Tue, 11 Nov 2008, Don Jackson wrote:
Today I began testing named on a freshly installed OpenBSD 4.4 amd64
machine, using my old named.conf file from 4.3 (which was still running
named version 9.4.2)
When the machine first boots after the install, /etc/rc determines there is
no rndc.key, and generates one:
rndc-confgen: generating new shared secret... done.
starting named
Here are the owner, group, and file modes of the two different copies of
rndc.key that are generated:
# ls -lAF /etc/rndc.key /var/named/etc/rndc.key
-rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key
-rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key
named only cares about the rndc.key in /var/named/etc
Right. But later, rndc will use the /etc version. So you need
both, and the permissions you show are sane ones.
Looking at the logs: /var/log/daemon, one can see:
Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission
denied
Nov 11 12:24:10 svn01 named[142]: couldn't add command channel
127.0.0.1#953:
permission denied
Here is my workaround:
# chown root:named /var/named/etc/rndc.key
# ls -lAF /var/named/etc/rndc.key
-rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key
Should /etc/rc set the group ownership of /var/named/etc/rndc.key?
Comments?
I think rndc.key should pick up the named group from the ownerships
and permissions on /var/named/etc.
/var/named/etc should be owned by root.named and have permissions 750.
I bet your /var/named/etc is owned by root.wheel.
Dave
Re: Experiences running named and rndc on 4.4 vs 4.3
On Tue, 11 Nov 2008, Don Jackson wrote: Today I began testing named on a freshly installed OpenBSD 4.4 amd64 machine, using my old named.conf file from 4.3 (which was still running named version 9.4.2) When the machine first boots after the install, /etc/rc determines there is no rndc.key, and generates one: rndc-confgen: generating new shared secret... done. starting named Here are the owner, group, and file modes of the two different copies of rndc.key that are generated: # ls -lAF /etc/rndc.key /var/named/etc/rndc.key -rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key -rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key named only cares about the rndc.key in /var/named/etc Right. But later, rndc will use the /etc version. So you need both, and the permissions you show are sane ones. Looking at the logs: /var/log/daemon, one can see: Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission denied Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: permission denied Here is my workaround: # chown root:named /var/named/etc/rndc.key # ls -lAF /var/named/etc/rndc.key -rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key Should /etc/rc set the group ownership of /var/named/etc/rndc.key? Comments? I think rndc.key should pick up the named group from the ownerships and permissions on /var/named/etc. /var/named/etc should be owned by root.named and have permissions 750. I bet your /var/named/etc is owned by root.wheel. Dave
Re: Experiences running named and rndc on 4.4 vs 4.3 - Solved/Explained
Yes, you are exactly right. My OS install script renames the existing /var/named/etc directory, and creates a new one pulled from version control, and in so doing, does not restore the correct ownership of the etc directory. So later on, during the execution of /etc/rc, the rndc.key file gets created with the wrong ownership, which led to the problem I reported. Because the rndc.key was generated later in this process, I did not think I had an ownership issue with it, but clearly the problem is the ownership of the parent directory. Thank you for your insight into my problem, I will make sure my install scripts do a better job of maintaining the ownership/permissions... Don On Wed, Nov 12, 2008 at 6:17 AM, Woodchuck [EMAIL PROTECTED] wrote: On Tue, 11 Nov 2008, Don Jackson wrote: Today I began testing named on a freshly installed OpenBSD 4.4 amd64 machine, using my old named.conf file from 4.3 (which was still running named version 9.4.2) When the machine first boots after the install, /etc/rc determines there is no rndc.key, and generates one: rndc-confgen: generating new shared secret... done. starting named Here are the owner, group, and file modes of the two different copies of rndc.key that are generated: # ls -lAF /etc/rndc.key /var/named/etc/rndc.key -rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key -rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key named only cares about the rndc.key in /var/named/etc Right. But later, rndc will use the /etc version. So you need both, and the permissions you show are sane ones. Looking at the logs: /var/log/daemon, one can see: Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission denied Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: permission denied Here is my workaround: # chown root:named /var/named/etc/rndc.key # ls -lAF /var/named/etc/rndc.key -rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key Should /etc/rc set the group ownership of /var/named/etc/rndc.key? Comments? I think rndc.key should pick up the named group from the ownerships and permissions on /var/named/etc. /var/named/etc should be owned by root.named and have permissions 750. I bet your /var/named/etc is owned by root.wheel. Dave
Re: Experiences running named and rndc on 4.4 vs 4.3
Don Jackson wrote: Today I began testing named on a freshly installed OpenBSD 4.4 amd64 machine, using my old named.conf file from 4.3 (which was still running named version 9.4.2) When the machine first boots after the install, /etc/rc determines there is no rndc.key, and generates one: rndc-confgen: generating new shared secret... done. starting named Here are the owner, group, and file modes of the two different copies of rndc.key that are generated: # ls -lAF /etc/rndc.key /var/named/etc/rndc.key -rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key -rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key named only cares about the rndc.key in /var/named/etc Looking at the logs: /var/log/daemon, one can see: Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission denied Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: permission denied Here is my workaround: # chown root:named /var/named/etc/rndc.key # ls -lAF /var/named/etc/rndc.key -rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key Should /etc/rc set the group ownership of /var/named/etc/rndc.key? Comments? Hi, On my system this file is already owned by named: # ls -al /etc/rndc.key -rw--- 1 root wheel 77 Oct 7 22:47 /etc/rndc.key # ls -al /var/named/etc/rndc.key -rw-r- 1 root named 77 Oct 7 22:47 /var/named/etc/rndc.key # uname -a OpenBSD puffy.localnet 4.4 GENERIC#1074 i386 HTH, Stijn
