From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DMARC_NONE,MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no version=4.0.0 Received: from helix.mdy.univie.ac.at (helix.mdy.univie.ac.at [131.130.40.7]) by chiba.3jane.net (Postfix) with ESMTP id C6A91200AD50 for ; Fri, 15 Mar 2002 06:48:37 -0600 (CST) Received: from loop.mdy.univie.ac.at (loop.mdy.univie.ac.at [131.130.40.12]) by helix.mdy.univie.ac.at (Postfix) with ESMTP id D14EC223 for ; Fri, 15 Mar 2002 13:45:01 +0100 (CET) Received: by loop.mdy.univie.ac.at (Postfix, from userid 119) id AF982432EC; Fri, 15 Mar 2002 13:45:00 +0100 (CET) Date: Fri, 15 Mar 2002 13:45:00 +0100 From: Stefan Boresch To: gentoo-dev@gentoo.org Subject: Re: [gentoo-dev] bind-9.1.3-r7 Message-ID: <20020315124500.GG13662@mdy.univie.ac.at> References: <20020307020701.B6B4.TODD@doonga.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk Reply-To: gentoo-dev@gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 59272deb-bb49-44ce-aa1a-0635b1888096 X-Archives-Hash: 83472e1c8468b69a11d36d1db00601b3 On Fri, Mar 15, 2002 at 11:30:00AM +0100, gentoo-user@devrieze.net wrote: > On Thu, 7 Mar 2002, Todd Punderson wrote: > > > Also /var/bind needs to be owned by named.named in order for the zone > > files to be read (since I did an upgrade, this bit me, it may not on a > > new install) > > > > The reason for the change was that bind used to run as root > (inadvertently). It is not safe (or necessary to do so) to run named as > root. For named to run as a different user (that's what the -u option > does) it needs to be able to write it's pid file. This location can be > specified in the config file. This option was included there too. It is > not necessary / not safe for the /var/bind dir to be owned by named. Named > does need to be able to read it though. Only if you want to use dynamic > updates, the files to which you want bind to have access to must be owned > by named. Be very careful with dynamic update though, as it might > compromise your server (and with it possibly your network) > I am by god no bind expert, only forced by local circumstances to run named. The issue of the .pid file raised by the original poster is easily solved by adding a pid-file option to your /etc/bind/named.conf options { directory "/var/bind"; pid-file "/var/run/named/named.pid"; }; ^^^^^^^^^^^^^^^^^^^^^^^^^^ However, the ownership of /var/bind is more crucial. I don't think the problem is with reading if you have standard rw-r--r-- permissions on zone files; i.e. create files with a 022 umask. However, a secondary name server (which I need) needs to be able to write transferred zonefiles somewhere, and with the above directory option these end up in /var/bind; failing if /var/bind isn't owned by named.named. I guess I could put them into /var/bind/sec and make this directory writable to named.named. However, where is the security problem of /var/bind being owned by named.named in the first place? Further, it would seem that bind/named drops all privileges anyways, since starting named without -u fails to write a .pid file at all (permission denied), which is not consistent with root permissions. [Sorry, I come from the bind 8.* world and hope to get by with using my old config files...] HTH, and thanks for any clarifications (my gentoo bind9 server should go into production fairly soon :-) Stefan