From owner-freebsd-net@FreeBSD.ORG  Sun Aug  3 13:05:44 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7C861106564A
	for <net@freebsd.org>; Sun,  3 Aug 2008 13:05:44 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id D00DE8FC15
	for <net@freebsd.org>; Sun,  3 Aug 2008 13:05:41 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id WAA18657;
	Sun, 3 Aug 2008 22:32:23 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sun, 3 Aug 2008 22:32:22 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Eugene Grosbein <eugen@kuzbass.ru>
In-Reply-To: <20080803073803.GA10321@grosbein.pp.ru>
Message-ID: <Pine.BSF.3.96.1080803210452.13190B-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: net@freebsd.org
Subject: Re: permissions on /etc/namedb
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Aug 2008 13:05:44 -0000

On Sun, 3 Aug 2008, Eugene Grosbein wrote:

 > I need /etc/namedb to be owned by root:bind and have permissions 01775,
 > so bind may write to it but may not overwrite files that belong to root
 > here, and I made it so. Suprise!
 > 
 > # /etc/rc.d/named restart                                                       
 > Stopping named.                                                                 
 > Waiting for PIDS: 1892.                                                         
 > etc/namedb changed                                                              
 >         gid expected 0 found 53 modified                                        
 >         permissions expected 0755 found 01775 modified                          
 > Starting named.

Are you running /etc/namedb linked to chroot'd /var/named/etc/namedb?
If so, that'd be mtree restoring perms from /etc/mtree/BIND.chroot.dist

I couldn't get rndc trace running to named.run for ages, same problem: 
bind user couldn't write to (default) /var/named/etc/namedb/named.run
unless it already existed, owned by bind.  Added to /etc/rc.d/named:

 touch /var/named/etc/namedb/named.run
 chown bind /var/named/etc/namedb/named.run	# bind:wheel 644

and now trace and querylog are happy, so I am.  Running latest 5-STABLE
here but I see no changes in 7 or HEAD cvs related to this.  Suppose I
should do up a PR with a patch, unless someone knows a better way?

I don't know if this helps with whatever file/s you want bind to write,
or whether there are other files bind writes needing similar treatment.

 > I dislike it very much when a system thinks it knows better what user needs.
 > Also, I do not want to move a place where bind writes its files to another
 > location just because system does not want it to write here.
 > Why was this done such way, do I miss something?

I'm usually glad that FreeBSD's bind setup tends to paranoia :)

cheers, Ian