Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Dec 2009 13:12:09 -0800
From:      Doug Barton <dougb@FreeBSD.org>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r200563 - in head/etc: mtree namedb
Message-ID:  <4B27FBA9.8090204@FreeBSD.org>
In-Reply-To: <alpine.BSF.2.00.0912151056130.61723@fledge.watson.org>
References:  <200912150514.nBF5Eej4050810@svn.freebsd.org> <alpine.BSF.2.00.0912151056130.61723@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Robert Watson wrote:
> On Tue, 15 Dec 2009, Doug Barton wrote:
> 
>>  The named process needs to have a "working directory" that it can
>>  write to. This is specified in "options { directory }" in named.conf.
>>  So, create /etc/namedb/working with appropriate permissions, and
>>  update the entry in named.conf to match.
>>
>>  In addition to specifying the working directory, file and path names
>>  in named.conf can be specified relative to the directory listed.
>>  However, since that directory is now different from /etc/namedb
>>  (where the configuration, zone, rndc.*, and other files are located)
>>  further update named.conf to specify all file names with fully
>>  qualified paths. Also update the comment about file and path names
>>  so users know this should be done for all file/path names in the file.
>>
>>  This change will eliminate the 'working directory is not writable'
>>  messages at boot time without sacrificing security. It will also
>>  allow for features in newer versions of BIND (9.7+) to work as
>>  designed.
> 
> On a couple of occasions, I've found myself trying to help people get
> BIND to core dump on a bug, which is a bit tricky in practice.  It
> involves setting appropriate sysctls so that sugid processes generate
> cores, arranging for a writable core dump directory in the chroot and
> setting a sysctl so it is found, etc.  Does this change simplify that
> process down to "enable core dump for sugid processes"? 

It should, yes. I was able to test all the other use cases for an
unprivileged named process so I have every reason to believe that
dumping a core will work too.


Doug

-- 

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B27FBA9.8090204>