From owner-freebsd-security  Fri Dec 10 12:16: 3 1999
Delivered-To: freebsd-security@freebsd.org
Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14])
	by hub.freebsd.org (Postfix) with ESMTP id 85F4E157F7
	for <freebsd-security@FreeBSD.ORG>; Fri, 10 Dec 1999 12:03:51 -0800 (PST)
	(envelope-from mike@sentex.net)
Received: from simoeon (simeon.sentex.ca [209.112.4.47])
	by vinyl.sentex.ca (8.9.3/8.9.3) with SMTP id PAA30182;
	Fri, 10 Dec 1999 15:03:41 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <3.0.5.32.19991210150235.01516100@staff.sentex.ca>
X-Sender: mdtpop@staff.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Fri, 10 Dec 1999 15:02:35 -0500
To: dfoo@webct.com, freebsd-security@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: Re: Jailing BIND, named-xfer problems
In-Reply-To: <38514E5F.4C1775C7@ca.webct.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 11:02 AM 12/10/99 -0800, Darren Foo wrote:
>	I recently upgraded and chrooted bind. Unfortunately, my secondary DNS
>server won't update from my primary because it can't run named-xfer. It
>either gives me a "permission denied" or "can't find file" error
>message. I've tried changing the options named-xfer in named.conf but it
>still doesn't work. I compiled bind with static libraries and changed
>the permissions and ownership on named-xfer to no avail.


Where is it trying to write the bk. files to ?  That directory must be
writeable by the bind UID.  Also, did you specify the path to named-xfer ?
For example,



// the directory  /etc/namedb/s is owned by the UID:GID bind:bind
// so bind can write to it
options {
        directory "/etc/namedb";
        named-xfer "/usr/local/libexec/named-xfer";   // _PATH_XFER
        pid-file "/etc/namedb/s/named.pid";  // _PATH_PIDFILE
        forward only;
        dump-file "s/named_dump.db";
};
// note the bk. file is written to the directory s

zone "myexample.ca" { type slave; file "s/bk.myexample.ca";masters
{192.168.1.1;};};




	---Mike
------------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Network Administrator,     			  mike@sentex.net
Sentex Communications                 		  www.sentex.net
Cambridge, Ontario Canada


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message