From owner-freebsd-questions@FreeBSD.ORG Thu Feb 2 02:39:30 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A34316A420 for ; Thu, 2 Feb 2006 02:39:30 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD36A43D46 for ; Thu, 2 Feb 2006 02:39:29 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.101] (adsl-66-138-74-83.dsl.rcsntx.swbell.net [66.138.74.83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id 8EC41114308 for ; Wed, 1 Feb 2006 20:42:57 -0600 (CST) Date: Wed, 01 Feb 2006 20:38:30 -0600 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <1E50494AB755848B02FF7875@Paul-Schmehls-Computer.local> In-Reply-To: References: X-Mailer: Mulberry/4.0.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: )(*&)(*&)(*&)(*& named X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2006 02:39:30 -0000 --On February 2, 2006 7:04:06 AM +0800 Daniel wrote: > > The biggest difference between running as root and the startup script > are the command line arguments given in either case. > > Script flags: -u bind -t /var/named > CLI flags: -c /usr/local/etc/named.conf -u root > Yes, I know. I'm starting the daemon as root because it can't write to the pidfile when it's started as bind. > The man page will show you that the -t flag indicates you want named > to chroot (recommended practice). It also is running as bind and not > root. > Yes, I know that as well. > Check out /var/named and your named config file. You will probably > find that /var/named/named.pid is not writable by the user bind. > It's writeable as bind. ls -lsa /var/named/ total 19 2 drwxr-xr-x 5 root wheel 512 Feb 1 20:30 . 2 drwxr-xr-x 20 root wheel 512 Jan 27 17:42 .. 2 -rw-r--r-- 1 bind bind 212 Feb 1 20:15 127.0.0 1 dr-xr-xr-x 4 root wheel 512 Feb 1 20:33 dev 2 drwxr-xr-x 3 root wheel 512 Feb 1 20:11 etc 2 -rw-r--r-- 1 bind bind 580 Feb 1 20:14 friendshipforest.zone 2 -r--r--r-- 1 bind bind 1511 Feb 1 20:14 named.ca 2 -rw-r--r-- 1 bind bind 6 Feb 1 20:20 named.pid 2 -rw-r--r-- 1 bind bind 516 Feb 1 20:14 stovebolt.zone 2 drwxr-xr-x 6 root wheel 512 Feb 1 20:11 var I removed /var/named and let the script recreate it. Now it can't find named.conf > You may also find that the named config isn't specifying a full path > to be used within the chroot directory (/var/named). > options { directory "/var/named"; allow-transfer{ none; }; allow-query{ any; }; allow-recursion{ local-info; }; listen-on{ 127.0.0.1; 66.221.101.248; }; version "nice try"; auth-nxdomain yes; # pid-file "named.pid"; blackhole{ "bogusnet"; }; query-source address * port 53; }; > Below is the config for my named that runs chrooted. > directory "/"; > pid-file "/named.pid"; > dump-file "/dump/named_dump.db"; > statistics-file "/stats/named.stats"; > > Yours may look something like: > directory "/var/named/"; > pid-file "/var/named/named.pid"; > dump-file "/var/named/dump/named_dump.db"; > statistics-file "/etc/named/stats/named.stats"; > And where do the zone files go? Where does the rndc.key file go? Where does the named.conf file go? > The paths in named.conf need to be relative to the chroot, not the base. > I'm not sure what you mean here. The chroot directory is /var/named. The directory specified in named.conf is /var/named. To what are you referring when you say "the paths"? >> >> When I try to start named using rndc, I get this: >> >> rndc start >> rndc: connect failed: connection refused > > rndc does not have a command "start" > Missed that. > restart is also not yet implemented. > Knew that. > > Writing your own startup scripts is unnecessary, especially for > something that already has one (or in this case, maybe two, /etc/rc.d > and /usr/local/etc/rc.d) > Except for one niggling problem. It doesn't work. Due to my ignorance, I'm sure, but it doesn't' work. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/