From: Vivek Khera <khera@kcilink.com> To: "Dan Langille" <dan@langille.org> Subject: Re: bind with TSIG needs chgrp bind /etc/namedb References: <3DAC27C5.23526.3E9077@localhost>
index | | previous in thread | raw e-mail
>>>>> "DL" == Dan Langille <dan@langille.org> writes:
DL> I've been adding TSIG to varioius domains. But I've found that on my
DL> slavee servers, I've had to set the directory permissions as this:
DL> $ ls -ld /etc/namedb/
DL> drwxrwxr-x 4 root bind 512 Oct 15 09:26 /etc/namedb/
DL> $ ls -ld /etc/namedb/secondary/
DL> drwxr-x--- 2 bind bind 512 Oct 15 09:25 /etc/namedb/secondary/
DL> named is running as: /usr/sbin/named -u bind -g bind
DL> Some bits from /etc/namedb/named.conf:
DL> options {
DL> directory "/etc/namedb";
I found this too. I really don't like having /etc/namedb group
writable. The secondary directory is already so, and must be, so I
just use that as the main directory in the options flag, then for all
other files, use "../master/foo.com" instead of "master/foo.com", and
for the secondaries, use "bar.com" instead of "secondary/bar.com".
This way, the tsig info is written in the "safe" secondary directory,
and the main namedb directory is safe from being mucked with by the
sandboxed process.
I think they would have been smart to make the directory for tsig info
a config variable.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help