Date: Mon, 1 Sep 2008 15:31:07 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-current@FreeBSD.ORG, Alex Goncharov <alex-goncharov@comcast.net> Subject: Re: named mystery -- error: dumping master file: master/tmp-wTjhUzoix6 Message-ID: <200809011331.m81DV7pq094904@lurza.secnetix.de> In-Reply-To: <E1Ka8cJ-000GgI-Um@daland.home>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex Goncharov wrote: > [...] > After this change, every time I restart `named', the ownership of the > `master' directory is changed to `bind' -- and this is what I want: > user `bind', I would think, should be allowed to write to this > directory. No, it shouldn't. It's a security matter. If there's an exploitable bug in BIND, an attacker could manipulate your master zone files. That's why the bind user should *not* be able to write to your master directory. There's no reason that the named process needs write access to the master directory. If you use dynamic zone updates, you should use the "dynamic" directory for those zones, which is writable by bind. > Who changes the owner of the `master' directory from `bind' to > `root'? I'm sorry, I don't know. In fact I have a similar problem with mtree: I want /var/mail to be mode 1777 (the reason is to make dot-locking work), so I changed BSD.var.dist to include "mode=01777" for the mail directory, but it doesn't work. After an installworld the directory is back to 0775. I have no idea why. My workaround is to insert a chmod command in /etc/rc.local. It's not pretty, but it works. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing." -- Mother Teresa
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809011331.m81DV7pq094904>