Re: Wrong ownership of /var/named/master ?
On Sun, Jun 15, 2008 at 09:15:41PM +0200, Dorian B|ttner wrote: propably the file you gave named in the zone-section of named.conf needs to be existing in the first place. give named sufficient permission to read and, for dynamic update, to write in it - no bug here and no need to change directory ownership. Hi. I don't think so. a) The manual (http://www.isc.org/sw/bind/arm95/Bv9ARM-all.html) doesn't list an option to specify the location of the journal file. b) It is automagically created by named (http://www.isc.org/sw/bind/arm95/Bv9ARM.ch04.html#journal) [... snipp ...] This file is automatically created by the server when the first dynamic update takes place. [... snipp ...] Although the documentation didn't specify the location of the journal. But even it would do so named _NEEDS_ to write to the master directory because c) (http://www.isc.org/sw/bind/arm95/Bv9ARM.ch04.html#journal again): [... snipp ...] The server will also occasionally write (dump) the complete contents of the updated zone to its zone file. This is not done immediately after each dynamic update, because that would be too slow when a large zone is updated frequently. Instead, the dump is delayed by up to 15 minutes, allowing additional updates to take place. [... snipp ...] Oh and BTW. /var/named/slave _IS_ writeble by named: # ls -ld /var/named/slave/ drwxrwxr-x 2 root named 512 Mar 12 17:28 /var/named/slave/ Of cause it is. named needs it to store and update zone data from the master. So slave/ is writeble by named because it needs to update the (slave) zone files. The same applies to the master directory (see c) ). So long, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Wrong ownership of /var/named/master ?
On Sun, Jun 15, 2008 at 1:42 PM, Andreas Maus [EMAIL PROTECTED] wrote: Hi. While configuring named on my sweet new Soekris 5501 I discovered a little *uhm* misconfiguration (I would not call it a bug). By default the permissions of /var/named/master is set to 0755 and owned by root:wheel. named runs in the chroot /var/named with the user named, group named. For most operations this permission/ownership is sufficient. But if you try to use dynamic updates named will fail to create the required journals: 15-Jun-2008 16:31:29.885 zone internal.wlan.badphish.dyndns.org/IN: sending notifies (serial 200806131) 15-Jun-2008 16:40:22.278 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': adding an RR at 'nibbler.11g.wlan.badphish.dyndns.org' A 15-Jun-2008 16:40:22.279 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': adding an RR at 'nibbler.11g.wlan.badphish.dyndns.org' TXT 15-Jun-2008 16:40:22.280 journal file master/11g.wlan.badphish.dyndns.org.jnl does not exist, creating it 15-Jun-2008 16:40:22.280 master/11g.wlan.badphish.dyndns.org.jnl: create: permission denied 15-Jun-2008 16:40:22.280 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': error: journal open failed: unexpected error and dynmic updates will not work. Simple fix: chown named /var/named/master Is this a known issue? At least the permissions of /var/named/master is root:wheel since 4.1 (I am using 4.3 right now). Perhaps can be fixed in 4.4 or is there a special reason to set /var/named/master to root:wheel? Hello, A quick search of the archives yielded these results* (among others): In summary, the named(8) in the base install doesn't support dynamic dns updates. You will have to install one from ports to get that particular functionality. Someone correct me if I'm wrong. --Jamie * http://marc.info/?l=openbsd-miscm=109755604901842w=2 * http://marc.info/?l=openbsd-miscm=115312797220810w=2 * http://marc.info/?l=openbsd-miscm=115296366703096w=2 * http://marc.info/?l=openbsd-miscm=117662121618527w=2
Re: Wrong ownership of /var/named/master ?
On Mon, Jun 16, 2008 at 03:06:46AM -0500, Jamie Gavahan wrote: Hello, Hi. A quick search of the archives yielded these results* (among others): Someone correct me if I'm wrong. You are wrong :P named supports dynamic updates via allow-update { key ...; }; But the _DHCP_ server does not support dynamic updates. I've never said the the dhcpd runs on the OpenBSD system. So long, Andreas. P.S.: * http://marc.info/?l=openbsd-miscm=109755604901842w=2 * http://marc.info/?l=openbsd-miscm=115312797220810w=2 * http://marc.info/?l=openbsd-miscm=115296366703096w=2 * http://marc.info/?l=openbsd-miscm=117662121618527w=2 They are all talking about the dhcpd of OpenBSD. In my case the dhcpd comes from a Linux system and is a ISC DHCPD v3.0.3 (which supports dynamic updates). -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Wrong ownership of /var/named/master ?
On Sun, Jun 15, 2008 at 08:42:38PM +0200, Andreas Maus wrote: Hi. While configuring named on my sweet new Soekris 5501 I discovered a little *uhm* misconfiguration (I would not call it a bug). By default the permissions of /var/named/master is set to 0755 and owned by root:wheel. named runs in the chroot /var/named with the user named, group named. It's reasonable to me: named doesn't need to modify master zones, so don't let it do that. Principle of the least privilege. snip Simple fix: chown named /var/named/master Simpler fix: put dynamically updated zones in slave, which I have done for years. -- Jussi Peltola
Re: Wrong ownership of /var/named/master ?
On Mon, Jun 16, 2008 at 09:32:39AM +, Jussi Peltola wrote: Hi. It's reasonable to me: named doesn't need to modify master zones, so don't let it do that. Principle of the least privilege. Using static zones ... I totally agree. Simpler fix: put dynamically updated zones in slave, which I have done for years. O.K. But I am easy to confuse ;) I will never look into slave/ for dynamic zones. So I guess the best method - and to close this thread ;) - is to make a directory called ... say ... dynamic make it writable by named and put the zone file of the dynamic zones in it. Case closed ^^ Thanks for your input. So long, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Wrong ownership of /var/named/master ?
Hi. While configuring named on my sweet new Soekris 5501 I discovered a little *uhm* misconfiguration (I would not call it a bug). By default the permissions of /var/named/master is set to 0755 and owned by root:wheel. named runs in the chroot /var/named with the user named, group named. For most operations this permission/ownership is sufficient. But if you try to use dynamic updates named will fail to create the required journals: 15-Jun-2008 16:31:29.885 zone internal.wlan.badphish.dyndns.org/IN: sending notifies (serial 200806131) 15-Jun-2008 16:40:22.278 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': adding an RR at 'nibbler.11g.wlan.badphish.dyndns.org' A 15-Jun-2008 16:40:22.279 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': adding an RR at 'nibbler.11g.wlan.badphish.dyndns.org' TXT 15-Jun-2008 16:40:22.280 journal file master/11g.wlan.badphish.dyndns.org.jnl does not exist, creating it 15-Jun-2008 16:40:22.280 master/11g.wlan.badphish.dyndns.org.jnl: create: permission denied 15-Jun-2008 16:40:22.280 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': error: journal open failed: unexpected error and dynmic updates will not work. Simple fix: chown named /var/named/master Is this a known issue? At least the permissions of /var/named/master is root:wheel since 4.1 (I am using 4.3 right now). Perhaps can be fixed in 4.4 or is there a special reason to set /var/named/master to root:wheel? Many thanks in advance, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Wrong ownership of /var/named/master ?
Andreas Maus schrieb: Hi. While configuring named on my sweet new Soekris 5501 I discovered a little *uhm* misconfiguration (I would not call it a bug). By default the permissions of /var/named/master is set to 0755 and owned by root:wheel. named runs in the chroot /var/named with the user named, group named. For most operations this permission/ownership is sufficient. But if you try to use dynamic updates named will fail to create the required journals: 15-Jun-2008 16:31:29.885 zone internal.wlan.badphish.dyndns.org/IN: sending notifies (serial 200806131) 15-Jun-2008 16:40:22.278 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': adding an RR at 'nibbler.11g.wlan.badphish.dyndns.org' A 15-Jun-2008 16:40:22.279 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': adding an RR at 'nibbler.11g.wlan.badphish.dyndns.org' TXT 15-Jun-2008 16:40:22.280 journal file master/11g.wlan.badphish.dyndns.org.jnl does not exist, creating it 15-Jun-2008 16:40:22.280 master/11g.wlan.badphish.dyndns.org.jnl: create: permission denied 15-Jun-2008 16:40:22.280 client 192.168.254.202#1025: updating zone '11g.wlan.badphish.dyndns.org/IN': error: journal open failed: unexpected error and dynmic updates will not work. Simple fix: chown named /var/named/master Is this a known issue? At least the permissions of /var/named/master is root:wheel since 4.1 (I am using 4.3 right now). Perhaps can be fixed in 4.4 or is there a special reason to set /var/named/master to root:wheel? Many thanks in advance, Andreas. propably the file you gave named in the zone-section of named.conf needs to be existing in the first place. give named sufficient permission to read and, for dynamic update, to write in it - no bug here and no need to change directory ownership.