From owner-freebsd-questions@FreeBSD.ORG Fri Mar 21 13:54:36 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA91F1065673 for ; Fri, 21 Mar 2008 13:54:36 +0000 (UTC) (envelope-from martin@dc.cis.okstate.edu) Received: from m.it.okstate.edu (m.it.okstate.edu [139.78.2.129]) by mx1.freebsd.org (Postfix) with ESMTP id C26558FC17 for ; Fri, 21 Mar 2008 13:54:36 +0000 (UTC) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.it.okstate.edu [127.0.0.1]) by m.it.okstate.edu (8.13.8/8.13.8) with ESMTP id m2LDsaI2007169 for ; Fri, 21 Mar 2008 08:54:36 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200803211354.m2LDsaI2007169@m.it.okstate.edu> to: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7167.1206107676.1@dc.cis.okstate.edu> Date: Fri, 21 Mar 2008 08:54:36 -0500 From: Martin McCormick Subject: Re: /var/named Changes Ownership to Root on Boot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 13:54:37 -0000 I think I fixed it but I am not sure I would have figured it out quickly without the help from the list. It seems that FreeBSD defaults to a chroot of bind with the tree owned by root. You can run bind in a sandbox as the documentation says and have it chroot but if you do, and heres's the confusion, you had better disable FreeBSD's attempt to make sure the /var/named tree is always owned by root which would be fine if named ran as root. When you run it in a sandbox with a lower-priority UID, you must make sure that at least one more little line appears in rc.conf.local. named_chrootdir="" # Chroot directory (or "" not to auto-chroot it) That's the key right there. If you use lines from rc.conf.local from an older system such as pre-FreeBSD5, you don't need that line and things work fine. If you don't have it on a FreeBSD5 or newer system, /etc/defaults/rc.conf supplies the default version of that line which reads: named_chrootdir="/var/named" # Chroot directory (or "" not to auto-chroot it) and one is seriously messed up from there on during the booting process. I was confused and thought this would all help me keep ownership of /var/named belonging to bind when, in fact, it does just the opposite. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Network Operations Group Chuck Swiger writes: >/var/named is owned by root on all of my newer (5.x and later) >systems; I found an old 4.11 box with it owned by bind, though. If >you're using named chroot'ed (as recommended), it will want /var/named/ >var/{dump/log/run/stats} writable by bind. > >-- >-Chuck >