From owner-freebsd-net@FreeBSD.ORG Mon Aug 4 13:56:50 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B80F1065792 for ; Mon, 4 Aug 2008 13:56:50 +0000 (UTC) (envelope-from ady@ady.ro) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by mx1.freebsd.org (Postfix) with ESMTP id 0C8DF8FC18 for ; Mon, 4 Aug 2008 13:56:44 +0000 (UTC) (envelope-from ady@ady.ro) Received: by wf-out-1314.google.com with SMTP id 24so1792253wfg.7 for ; Mon, 04 Aug 2008 06:56:44 -0700 (PDT) Received: by 10.142.203.19 with SMTP id a19mr4936696wfg.179.1217856601086; Mon, 04 Aug 2008 06:30:01 -0700 (PDT) Received: by 10.142.54.14 with HTTP; Mon, 4 Aug 2008 06:30:01 -0700 (PDT) Message-ID: <78cb3d3f0808040630o7ad311a5r6da8f821d2bfe63a@mail.gmail.com> Date: Mon, 4 Aug 2008 15:30:01 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: "Ian Smith" In-Reply-To: MIME-Version: 1.0 References: <4896A416.80602@FreeBSD.org> X-Google-Sender-Auth: c965ee155b768b1d Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, Doug Barton , Eugene Grosbein Subject: Re: permissions on /etc/namedb X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 13:56:50 -0000 Hi, On Mon, Aug 4, 2008 at 12:57 PM, Ian Smith wrote: > On Sun, 3 Aug 2008, Doug Barton wrote: > > Eugene Grosbein wrote: > > > On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote: > [..] > > >>> Well, I just want bind be allowed to write to is working directory. > > >> I think that your idea of "BIND's working directory" is probably > > >> flawed > > > > > > That's not my idea. From /var/log/messages: > > > > > > Aug 3 15:02:18 host named[657]: the working directory is not writable > > > > That is a quaint reminder of a simpler time. It's far better nowadays > > to separate the idea of configuration directories and directories that > > named should write to. (One could easily make the argument that this > > division should have been enforced from the start, and personally I > > never liked having named dropping stuff all over my config directory, > > but I digress.) > > In the olden days (bind 4) named.run, named.stats and named_dump.db were > all written to /var/tmp .. perhaps because it had the sticky bit set? > > > >> but if what you want is to make /etc/namedb writable by the > > >> bind user and have it persist from boot to boot someone else already > > >> told you how to do that, so good luck. > > > > > > Sigh... I have to study mtree now. > > > > If it takes you more than 5 minutes, give up. :) > > > > > And for what reason? Just because the system thinks it knows better > what user needs. > > > > You previously agreed with me that the defaults should be appropriate > > for non-expert users, and I would still argue that they are. > > With the notable exception of making standard functions rndc trace and > querylog work, writing to the default file named.run, which named wants > to write in 'the working directory'. You'll have seen my solution to > that, touching named.run in case it doesn't exist then chown'ing it to > bind:wheel in /etc/rc.d/named, which I don't think endangers security. > > I've not been able to find another solution, and there's no equivalent > of dump-file and statistics-file for the trace/querylog file (that I Quoting from a default distributed /etc/namedb/named.conf: options { // Relative to the chroot directory, if any directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; You have to take into account that "directory" is used for any non-absolute pathname specified in named.conf, including the "file" clauses for master/slave zones. If you were to change it now then you would break a lot of setups. I believe that the "working directory" and "root config directory" concepts should have been dissociated. > > can find) but perhaps you know some way the directory to write this > file can be specified in named.conf? Maybe to /var/named/var/log ? > > > Also, I'm not sure whether you've actually looked at the default > > named.conf or not, but the two most common files that someone would > > want to write are the dump and statistics files, and there are already > > suitable paths for those files provided, and the bind user can > > actually write to them by default. It would be trivial to expand those > > examples to other things that are of particular interest to you. > > That's what I thought, but my extensive reading hasn't shown me how to > do that for named.run, so I'd appreciate a clue for a better solution. > Best is to have a sepatate configuration directive for the "working directory" versus "root config directory" assumed by the current "directory" statement. Another idea would be to add a final "options { directory "/var/run/named"; }; " statement at the end of the file -- from the BIND sources it appears that there is a callback function which may pickup this final statement in order to make it the current working directory for the named process. Oh, and in the idea that we should keep the default configuration as simple as possible for the average user and for whatever scenario, here is my proposal: directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/run/named/named_dump.db"; statistics-file "/var/run/named/named.stats"; Now the reasons: - the directory statement should remain the same in order not to break existing "file" functionality for DNS zones; - we should use /var/run/named since this is the single common path available for both chrooted and non-chrooted setups; - rather then dispersing the various output files we should standardize for a single common output location I'm not sure what happens when the user toggles tracing / query logging (with rndc) -- where would these files go by default ? My 2cents, Adrian.