From owner-svn-src-all@FreeBSD.ORG Tue Dec 15 21:12:10 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF4DE1065695 for ; Tue, 15 Dec 2009 21:12:10 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id A07558FC18 for ; Tue, 15 Dec 2009 21:12:10 +0000 (UTC) Received: (qmail 8360 invoked by uid 399); 15 Dec 2009 21:12:10 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 15 Dec 2009 21:12:10 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4B27FBA9.8090204@FreeBSD.org> Date: Tue, 15 Dec 2009 13:12:09 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Thunderbird 2.0.0.23 (X11/20091206) MIME-Version: 1.0 To: Robert Watson References: <200912150514.nBF5Eej4050810@svn.freebsd.org> In-Reply-To: X-Enigmail-Version: 0.96.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r200563 - in head/etc: mtree namedb X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 21:12:11 -0000 Robert Watson wrote: > On Tue, 15 Dec 2009, Doug Barton wrote: > >> The named process needs to have a "working directory" that it can >> write to. This is specified in "options { directory }" in named.conf. >> So, create /etc/namedb/working with appropriate permissions, and >> update the entry in named.conf to match. >> >> In addition to specifying the working directory, file and path names >> in named.conf can be specified relative to the directory listed. >> However, since that directory is now different from /etc/namedb >> (where the configuration, zone, rndc.*, and other files are located) >> further update named.conf to specify all file names with fully >> qualified paths. Also update the comment about file and path names >> so users know this should be done for all file/path names in the file. >> >> This change will eliminate the 'working directory is not writable' >> messages at boot time without sacrificing security. It will also >> allow for features in newer versions of BIND (9.7+) to work as >> designed. > > On a couple of occasions, I've found myself trying to help people get > BIND to core dump on a bug, which is a bit tricky in practice. It > involves setting appropriate sysctls so that sugid processes generate > cores, arranging for a writable core dump directory in the chroot and > setting a sysctl so it is found, etc. Does this change simplify that > process down to "enable core dump for sugid processes"? It should, yes. I was able to test all the other use cases for an unprivileged named process so I have every reason to believe that dumping a core will work too. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/