Date: Thu, 17 Jun 2010 09:37:03 +0100 From: krad <kraduk@googlemail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org, Peter Boosten <peter@boosten.org> Subject: Re: Ownership of /var/named Changes on Reboot. Message-ID: <AANLkTilgXUxislxOdXfc-WzSLCxVeDiwLJt0Rtwh0geB@mail.gmail.com> In-Reply-To: <4C19D30E.2050409@infracaninophile.co.uk> References: <201006170232.o5H2Welb014148@dc.cis.okstate.edu> <19481.36703.87734.484856@jerusalem.litteratus.org> <4C1994BE.2030004@boosten.org> <4C19D30E.2050409@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17 June 2010 08:47, Matthew Seaman <m.seaman@infracaninophile.co.uk>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 17/06/2010 04:21:34, Peter Boosten wrote: > > On 17-6-2010 4:58, Robert Huff wrote: > >> > >> Martin McCormick writes: > >> > >>> Is there a way to keep /var/named owned by bind across > >>> reboots? > >> > >> Yes. I had this happen for a long time. > >> The bad news is it had been years since I fixed it, and I no > >> longer remember exactly what I did. I will keep trying. > >> > >> > > > > Permissions are set using the mtree files: > > > > /etc/mtree/ > > > > Furthermore, the default setup *is* for named to run as an unprivileged > process. The setup is very carefully designed so that named doesn't > have write permission on the directory where its configuration files are > stored, or on directories that contain static zone files, but it does > have write permission on directories it uses for zone files AXFR'd from > a master, or zone files maintained using dynamic DNS. > > This used to generate a warning from bind about not having a writable > current working directory -- which was basically harmless and could be > ignored. However recent changes mean bind needs a writable working > directory, so the latest layouts include /var/named/etc/namedb/working > > Cheers, > > Matthew > > - -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf > KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI > =LaxU > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > so the logical extension to this is by changing the ownership of the directory to bind, you are making the configuration directory writeable, and therefore you are actually lowering security.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTilgXUxislxOdXfc-WzSLCxVeDiwLJt0Rtwh0geB>