From owner-freebsd-net@FreeBSD.ORG Mon Aug 4 10:57:24 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D94811065676; Mon, 4 Aug 2008 10:57:24 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id D45618FC16; Mon, 4 Aug 2008 10:57:22 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id UAA23877; Mon, 4 Aug 2008 20:57:19 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 4 Aug 2008 20:57:18 +1000 (EST) From: Ian Smith To: Doug Barton In-Reply-To: <4896A416.80602@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org, Eugene Grosbein Subject: Re: permissions on /etc/namedb X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 10:57:24 -0000 On Sun, 3 Aug 2008, Doug Barton wrote: > Eugene Grosbein wrote: > > On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote: [..] > >>> Well, I just want bind be allowed to write to is working directory. > >> I think that your idea of "BIND's working directory" is probably > >> flawed > > > > That's not my idea. From /var/log/messages: > > > > Aug 3 15:02:18 host named[657]: the working directory is not writable > > That is a quaint reminder of a simpler time. It's far better nowadays > to separate the idea of configuration directories and directories that > named should write to. (One could easily make the argument that this > division should have been enforced from the start, and personally I > never liked having named dropping stuff all over my config directory, > but I digress.) In the olden days (bind 4) named.run, named.stats and named_dump.db were all written to /var/tmp .. perhaps because it had the sticky bit set? > >> but if what you want is to make /etc/namedb writable by the > >> bind user and have it persist from boot to boot someone else already > >> told you how to do that, so good luck. > > > > Sigh... I have to study mtree now. > > If it takes you more than 5 minutes, give up. :) > > > And for what reason? Just because the system thinks it knows better what user needs. > > You previously agreed with me that the defaults should be appropriate > for non-expert users, and I would still argue that they are. With the notable exception of making standard functions rndc trace and querylog work, writing to the default file named.run, which named wants to write in 'the working directory'. You'll have seen my solution to that, touching named.run in case it doesn't exist then chown'ing it to bind:wheel in /etc/rc.d/named, which I don't think endangers security. I've not been able to find another solution, and there's no equivalent of dump-file and statistics-file for the trace/querylog file (that I can find) but perhaps you know some way the directory to write this file can be specified in named.conf? Maybe to /var/named/var/log ? > Also, I'm not sure whether you've actually looked at the default > named.conf or not, but the two most common files that someone would > want to write are the dump and statistics files, and there are already > suitable paths for those files provided, and the bind user can > actually write to them by default. It would be trivial to expand those > examples to other things that are of particular interest to you. That's what I thought, but my extensive reading hasn't shown me how to do that for named.run, so I'd appreciate a clue for a better solution. cheers, Ian