From owner-freebsd-questions  Wed Aug  8 13:38:35 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from yertle.kciLink.com (yertle.kcilink.com [216.194.193.105])
	by hub.freebsd.org (Postfix) with ESMTP id 9D12837B419
	for <questions@freebsd.org>; Wed,  8 Aug 2001 13:38:17 -0700 (PDT)
	(envelope-from khera@kcilink.com)
Received: from onceler.kciLink.com (onceler.kciLink.com [216.194.193.106])
	by yertle.kciLink.com (Postfix) with ESMTP id E34232E45F
	for <questions@freebsd.org>; Wed,  8 Aug 2001 16:38:16 -0400 (EDT)
Received: (from khera@localhost)
	by onceler.kciLink.com (8.11.4/8.11.4) id f78KcGA97047;
	Wed, 8 Aug 2001 16:38:16 -0400 (EDT)
	(envelope-from khera@kcilink.com)
X-Authentication-Warning: onceler.kciLink.com: khera set sender to khera@kcilink.com using -f
To: questions@freebsd.org
Subject: Re: Bind, Freebsd and permission problems.
References: <BBDEEDD2EB67D311A0240008C74B9345129C6D@ntxmidcity.sdccd.cc.ca.us>
From: Vivek Khera <khera@kcilink.com>
Date: 08 Aug 2001 16:38:15 -0400
In-Reply-To: <BBDEEDD2EB67D311A0240008C74B9345129C6D@ntxmidcity.sdccd.cc.ca.us>
Message-ID: <x7itfygudk.fsf@onceler.kciLink.com>
Lines: 43
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

>>>>> "EF" == Erin Fortenberry <efortenb@sdccd.cc.ca.us> writes:

EF> I run my primary DNS server as bind:bind but I am unable to -HUP it because
EF> it gets a permission denied on the named.conf file. This .conf file is
EF> currently owned by bind:bind with a permissions of 440. It does not master
EF> what I set the permissions too, it does not work.

The actual situation on your disk disagrees with what you are
claiming, because if the file is owned by bind:bind, then there is no
way that the process running as user bind will not be able to read it,
unless the parent directory is unreadable to it.

EF> So my question is, it their any docs to help me either jail named or run it
EF> correctly as something other then root on FreeBSD?

Here's my set up:

[yertle]% ls -ld /etc/namedb
drwxr-xr-x  3 root  wheel  512 Jul 31 17:24 /etc/namedb/
[yertle]% ls -l /etc/namedb
total 15
-rw-r--r--  1 root  wheel   423 Jul 28  2000 PROTO.localhost.rev
-r--r--r--  1 root  wheel   269 Sep 14  2000 local
-r--r--r--  1 root  wheel   271 Sep 14  2000 local.rev
-rw-r--r--  1 root  wheel   261 Sep 14  2000 localhost
-rw-r--r--  1 root  wheel   847 Jun 26 09:12 make-localhost
-rw-r-----  1 root  bind    852 Jul 31 17:24 named.conf
-rw-r--r--  1 root  wheel  2843 Jul 28  2000 named.root
drwxr-xr-x  2 bind  bind    512 Jul 20 15:28 secondaries/

You don't really want named.conf writable by user bind in case some
future bug in bind makes that a vulnerability.

I just run named with "-g bind -u bind" options.

Of course, make sure your named.conf uses /etc/namedb as its path for
the files it needs.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: khera@kciLink.com       Rockville, MD       +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message