Re: Ownership of /var/named Changes on Reboot.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/06/2010 04:21:34, Peter Boosten wrote: On 17-6-2010 4:58, Robert Huff wrote: Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Permissions are set using the mtree files: /etc/mtree/ Furthermore, the default setup *is* for named to run as an unprivileged process. The setup is very carefully designed so that named doesn't have write permission on the directory where its configuration files are stored, or on directories that contain static zone files, but it does have write permission on directories it uses for zone files AXFR'd from a master, or zone files maintained using dynamic DNS. This used to generate a warning from bind about not having a writable current working directory -- which was basically harmless and could be ignored. However recent changes mean bind needs a writable working directory, so the latest layouts include /var/named/etc/namedb/working Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI =LaxU -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
On 17 June 2010 08:47, Matthew Seaman m.sea...@infracaninophile.co.ukwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/06/2010 04:21:34, Peter Boosten wrote: On 17-6-2010 4:58, Robert Huff wrote: Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Permissions are set using the mtree files: /etc/mtree/ Furthermore, the default setup *is* for named to run as an unprivileged process. The setup is very carefully designed so that named doesn't have write permission on the directory where its configuration files are stored, or on directories that contain static zone files, but it does have write permission on directories it uses for zone files AXFR'd from a master, or zone files maintained using dynamic DNS. This used to generate a warning from bind about not having a writable current working directory -- which was basically harmless and could be ignored. However recent changes mean bind needs a writable working directory, so the latest layouts include /var/named/etc/namedb/working Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI =LaxU -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org so the logical extension to this is by changing the ownership of the directory to bind, you are making the configuration directory writeable, and therefore you are actually lowering security. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/06/2010 09:37:03, krad wrote: so the logical extension to this is by changing the ownership of the directory to bind, you are making the configuration directory writeable, and therefore you are actually lowering security. Correct. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwZ9iEACgkQ8Mjk52CukIxlOQCfZXV2D+ps0uQITQ6b05sXsmjC r3IAnjQyzVtfBhJ0XwxO8O+Gsct8wb9j =Kj7A -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
Matthew Seaman writes: Furthermore, the default setup *is* for named to run as an unprivileged process. The setup is very carefully designed so that named doesn't have write permission on the directory where its configuration files are stored, or on directories that contain static zone files, but it does have write permission on directories it uses for zone files AXFR'd from a master, or zone files maintained using dynamic DNS. This used to generate a warning from bind about not having a writable current working directory -- which was basically harmless and could be ignored. However recent changes mean bind needs a writable working directory, so the latest layouts include /var/named/etc/namedb/working That turned out to be the issue. I reset the permissions to match the way they are when one first installs bind. Root owns /var/named but bind owns directories that should be writable so the trick is to set one's named.conf file to reference writable directories for all the zones, logs and named.pid. It is now starting automatically on reboot just like it should. While bind owns all the writable subdirectories, they all still have wheel as their GID. That appears to be okay since they are all only writable by owner. Thanks for explaining this annoying little mystery that has dogged me at a minor level for years. I have been running bind for Oklahoma State University for close to 18 years and one tends to stick with configurations that work. It is just time to modernize and at least configure bind in the recommended way so as to take full advantage of the clever design. It does still give the message that the working directory is not writable. Martin McCormick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Ownership of /var/named Changes on Reboot.
I run named chrooted to bind but not in a jail. When the system reboots, something changes ownership of /var/named back to root:wheel. I have thought several times I figured out how to prevent this from happening, but to no avail. The most promising lead was the following directives in /etc/rc.conf.local: named_uid=bind# User to run named as named_chrootdir= # Chroot directory (or not to auto-chroot it) named_chroot_autoupdate=YES # Automatically install/update chrooted Is there a way to keep /var/named owned by bind across reboots? Our production FreeBSD systems are up for years at a time so we don't see this problem often, but we have just been lucky that I am usually the one to reboot and know that named will come up broken and exit because named can not write in to /var/named when it is owned by root. It would be really nice to be able to count on /var/named staying put so named can just start automatically after a reboot. I prefer for named to run as a low-priority UID rather than as root so if I am doing something wrong, tell me that, also. We have been running named with a high-numbered UID for probably ten years and the force back to root ownership has always been a factor when the system is rebooted. Thank you. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Ownership of /var/named Changes on Reboot.
Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
On 17-6-2010 4:58, Robert Huff wrote: Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Permissions are set using the mtree files: /etc/mtree/ Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org