From owner-freebsd-current@FreeBSD.ORG Mon Sep 1 14:14:22 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 352301065686 for ; Mon, 1 Sep 2008 14:14:22 +0000 (UTC) (envelope-from alex-goncharov@comcast.net) Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id 1A68B8FC2B for ; Mon, 1 Sep 2008 14:14:22 +0000 (UTC) (envelope-from alex-goncharov@comcast.net) Received: from OMTA01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id 9QS71a0060EPchoA5RyNRt; Mon, 01 Sep 2008 13:58:22 +0000 Received: from daland.home ([24.61.21.4]) by OMTA01.emeryville.ca.mail.comcast.net with comcast id 9RyJ1a00B05H7zL8MRyKx2; Mon, 01 Sep 2008 13:58:20 +0000 X-Authority-Analysis: v=1.0 c=1 a=fyfqdYF2hYYA:10 a=y3Be58pVqgkA:10 a=rITDv7nW5hcA:10 a=05FjcV7UAAAA:8 a=uZkhZlGR_L3skUBHqPYA:9 a=9btQufkmoi2c6pNA_sMTwYjWWpkA:4 a=uoE9lMzFE5YA:10 a=si9q_4b84H0A:10 a=mhQ4J5QMNLoA:10 Received: from algo by daland.home with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Ka9v7-0007oh-Re; Mon, 01 Sep 2008 09:58:17 -0400 From: Alex Goncharov To: freebsd-current@FreeBSD.ORG, Alex Goncharov In-reply-to: <200809011331.m81DV7pq094904@lurza.secnetix.de> (message from Oliver Fromme on Mon, 1 Sep 2008 15:31:07 +0200 (CEST)) References: <200809011331.m81DV7pq094904@lurza.secnetix.de> Message-Id: Sender: Alex Goncharov Date: Mon, 01 Sep 2008 09:58:17 -0400 Cc: freebsd-current@FreeBSD.ORG, alex-goncharov@comcast.net Subject: Re: named mystery -- error: dumping master file: master/tmp-wTjhUzoix6 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alex Goncharov List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2008 14:14:22 -0000 ,--- Oliver Fromme (Mon, 1 Sep 2008 15:31:07 +0200 (CEST)) ----* | Alex Goncharov wrote: | > [...] | > After this change, every time I restart `named', the ownership of the | > `master' directory is changed to `bind' -- and this is what I want: | > user `bind', I would think, should be allowed to write to this | > directory. | | No, it shouldn't. It's a security matter. If there's an | exploitable bug in BIND, an attacker could manipulate your | master zone files. That's why the bind user should *not* | be able to write to your master directory. OK, I am ready to accept this point of view and make it my starting point again (I tried, in the past). | There's no reason that the named process needs write access | to the master directory. If you use dynamic zone updates, | you should use the "dynamic" directory for those zones, | which is writable by bind. I just tried a simplistic change: a. Changed "type master" to "type dynamic" in named.conf. b. cp master/* dynamic Starting `named' with this I get: /etc/namedb/named.conf:358: 'dynamic' unexpected How do I use the `dynamic' directory? (If you know the answer -- I'll do more reading later.) OTOH, I see this example at `http://www.boran.com/security/sp/bind9_20010430.html#BM4_setting_jail_permission' -------------------- zone "test2.com" { type master; file "test2.com"; allow-update { updaters; }; }; -------------------- Which is: a. Close enough to what I have, in my original `named.conf', before a `dynamic' change attempt. b. Implies that updating a master zone is not such an unusual idea. Any comments on this? -- Alex -- alex-goncharov@comcast.net --