From owner-freebsd-questions@FreeBSD.ORG Thu Jun 17 08:37:06 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EABAD1065677 for ; Thu, 17 Jun 2010 08:37:05 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6538F8FC15 for ; Thu, 17 Jun 2010 08:37:04 +0000 (UTC) Received: by fxm7 with SMTP id 7so5383854fxm.13 for ; Thu, 17 Jun 2010 01:37:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=OjTgBU9/EBVT3SYwopPIW2HBE7E0eoFTf/XRPQVpWR8=; b=VGsg/REbt3nsg/QtLhuDS4SFOshkQAMUOQUFI60VKNXf1JUQ14JZSCbd1f6x4zVvdV yA+LU91RZkqNJ56rEi9qHwztO95V7SYxjDirHQsh2guH/txhFGhkTVRoi29JK06ybHw6 KcZ6ldoATID5OIJbMKPajV0GJKuzAkm3TRofo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=uP00Dvp1RUKgnYgnsMJeD5ID3HU2BkDLilT/dSPilNtM3upz11I4rLfL8QkSLqsxXe NP3kUeRneCHeDCucPc1uBVYK0L1DX8NCwhmE2TXzlZxPKDPodR87ZCwDNpFC2rOJSDe4 GFzgGT9nhLwmg/DB81/sQt90VmQiJXt4XD7RQ= MIME-Version: 1.0 Received: by 10.239.188.72 with SMTP id o8mr695694hbh.23.1276763823971; Thu, 17 Jun 2010 01:37:03 -0700 (PDT) Received: by 10.239.165.129 with HTTP; Thu, 17 Jun 2010 01:37:03 -0700 (PDT) In-Reply-To: <4C19D30E.2050409@infracaninophile.co.uk> References: <201006170232.o5H2Welb014148@dc.cis.okstate.edu> <19481.36703.87734.484856@jerusalem.litteratus.org> <4C1994BE.2030004@boosten.org> <4C19D30E.2050409@infracaninophile.co.uk> Date: Thu, 17 Jun 2010 09:37:03 +0100 Message-ID: From: krad To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Peter Boosten Subject: Re: Ownership of /var/named Changes on Reboot. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2010 08:37:06 -0000 On 17 June 2010 08:47, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 17/06/2010 04:21:34, Peter Boosten wrote: > > On 17-6-2010 4:58, Robert Huff wrote: > >> > >> Martin McCormick writes: > >> > >>> Is there a way to keep /var/named owned by bind across > >>> reboots? > >> > >> Yes. I had this happen for a long time. > >> The bad news is it had been years since I fixed it, and I no > >> longer remember exactly what I did. I will keep trying. > >> > >> > > > > Permissions are set using the mtree files: > > > > /etc/mtree/ > > > > Furthermore, the default setup *is* for named to run as an unprivileged > process. The setup is very carefully designed so that named doesn't > have write permission on the directory where its configuration files are > stored, or on directories that contain static zone files, but it does > have write permission on directories it uses for zone files AXFR'd from > a master, or zone files maintained using dynamic DNS. > > This used to generate a warning from bind about not having a writable > current working directory -- which was basically harmless and could be > ignored. However recent changes mean bind needs a writable working > directory, so the latest layouts include /var/named/etc/namedb/working > > Cheers, > > Matthew > > - -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf > KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI > =LaxU > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > so the logical extension to this is by changing the ownership of the directory to bind, you are making the configuration directory writeable, and therefore you are actually lowering security.