From owner-freebsd-current Fri Aug 3 20: 6:54 2001 Delivered-To: freebsd-current@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id DA32537B401 for ; Fri, 3 Aug 2001 20:06:50 -0700 (PDT) (envelope-from david@catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.11.4/8.11.4) id f7436j234166 for FreeBSD-current@FreeBSD.ORG; Fri, 3 Aug 2001 20:06:45 -0700 (PDT) Date: Fri, 3 Aug 2001 20:06:45 -0700 (PDT) From: David Wolfskill Message-Id: <200108040306.f7436j234166@bunrab.catwhisker.org> Subject: Re: named -u bind Cc: FreeBSD-current@FreeBSD.ORG In-Reply-To: <20010804025029.CB17D3E28@bazooka.unixfreak.org> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >Date: Fri, 03 Aug 2001 19:50:24 -0700 >From: Dima Dorfman >> Are there any reasons not to use "-u bind" flag for named by default? >IIRC the last time this came up somebody said something about it not >being able to read zonefiles in some odd places where they like to put >them. I.e., they want it to run as root so they can set their >zonefile mode 600 or something. That sounds like someone overdoesed on perversity. I've been running named with user & group "bind" (53) for nearly 2 years without significant problems: I made the directory named uses /var/namedb; everything in there is (still) owned by root, except for the "sec" subdirectory, which is owned by bind. (That is where the local copies of files retrieved from zone transfers go, for the zones for which my system is a slave. Having the named process unable to modify other files is a Good Thing. Oh, yeah: I also made /etc/named.conf a symlink to /var/namedb/named.conf.) I also made /var/run mode 1777, so that /var/run/named.pid could get created with minimal hassle. (Since the box has no general-purpose logins & no keyboard, I have reasonable confidence that a local user isn't likely to abuse this.) Cheers, david -- David H. Wolfskill david@catwhisker.org As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message