Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 3 Aug 2008 22:32:22 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Eugene Grosbein <eugen@kuzbass.ru>
Cc:        net@freebsd.org
Subject:   Re: permissions on /etc/namedb
Message-ID:  <Pine.BSF.3.96.1080803210452.13190B-100000@gaia.nimnet.asn.au>
In-Reply-To: <20080803073803.GA10321@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 3 Aug 2008, Eugene Grosbein wrote:

 > I need /etc/namedb to be owned by root:bind and have permissions 01775,
 > so bind may write to it but may not overwrite files that belong to root
 > here, and I made it so. Suprise!
 > 
 > # /etc/rc.d/named restart                                                       
 > Stopping named.                                                                 
 > Waiting for PIDS: 1892.                                                         
 > etc/namedb changed                                                              
 >         gid expected 0 found 53 modified                                        
 >         permissions expected 0755 found 01775 modified                          
 > Starting named.

Are you running /etc/namedb linked to chroot'd /var/named/etc/namedb?
If so, that'd be mtree restoring perms from /etc/mtree/BIND.chroot.dist

I couldn't get rndc trace running to named.run for ages, same problem: 
bind user couldn't write to (default) /var/named/etc/namedb/named.run
unless it already existed, owned by bind.  Added to /etc/rc.d/named:

 touch /var/named/etc/namedb/named.run
 chown bind /var/named/etc/namedb/named.run	# bind:wheel 644

and now trace and querylog are happy, so I am.  Running latest 5-STABLE
here but I see no changes in 7 or HEAD cvs related to this.  Suppose I
should do up a PR with a patch, unless someone knows a better way?

I don't know if this helps with whatever file/s you want bind to write,
or whether there are other files bind writes needing similar treatment.

 > I dislike it very much when a system thinks it knows better what user needs.
 > Also, I do not want to move a place where bind writes its files to another
 > location just because system does not want it to write here.
 > Why was this done such way, do I miss something?

I'm usually glad that FreeBSD's bind setup tends to paranoia :)

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080803210452.13190B-100000>