From owner-freebsd-questions Fri Oct 18 13:52:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AC0C37B401 for ; Fri, 18 Oct 2002 13:52:14 -0700 (PDT) Received: from yertle.kciLink.com (yertle.kcilink.com [216.194.193.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EF0843EA3 for ; Fri, 18 Oct 2002 13:52:13 -0700 (PDT) (envelope-from khera@kciLink.com) Received: from onceler.kciLink.com (onceler.kciLink.com [216.194.193.106]) by yertle.kciLink.com (Postfix) with ESMTP id 180ED21790 for ; Fri, 18 Oct 2002 16:52:08 -0400 (EDT) Received: by onceler.kciLink.com (Postfix, from userid 100) id E620B3D07; Fri, 18 Oct 2002 16:52:07 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Vivek Khera To: freebsd-questions@freebsd.org To: "Dan Langille" Subject: Re: bind with TSIG needs chgrp bind /etc/namedb Newsgroups: ml.freebsd.questions References: <3DAC27C5.23526.3E9077@localhost> X-Trace: lorax.kciLink.com 1034973370 51093 216.194.193.106 (18 Oct 2002 20:36:10 GMT) X-Complaints-To: daemon@kciLink.com X-Virus-Scanned: by amavisd-new amavisd-new-20020630 (@kci) X-Razor-id: d2bbe959bae262e1d6bb6be60e822b393530d615 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >>>>> "DL" == Dan Langille writes: DL> I've been adding TSIG to varioius domains. But I've found that on my DL> slavee servers, I've had to set the directory permissions as this: DL> $ ls -ld /etc/namedb/ DL> drwxrwxr-x 4 root bind 512 Oct 15 09:26 /etc/namedb/ DL> $ ls -ld /etc/namedb/secondary/ DL> drwxr-x--- 2 bind bind 512 Oct 15 09:25 /etc/namedb/secondary/ DL> named is running as: /usr/sbin/named -u bind -g bind DL> Some bits from /etc/namedb/named.conf: DL> options { DL> directory "/etc/namedb"; I found this too. I really don't like having /etc/namedb group writable. The secondary directory is already so, and must be, so I just use that as the main directory in the options flag, then for all other files, use "../master/foo.com" instead of "master/foo.com", and for the secondaries, use "bar.com" instead of "secondary/bar.com". This way, the tsig info is written in the "safe" secondary directory, and the main namedb directory is safe from being mucked with by the sandboxed process. I think they would have been smart to make the directory for tsig info a config variable. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D. Khera Communications, Inc. Internet: khera@kciLink.com Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message