Date: Wed, 01 Feb 2006 20:38:30 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: )(*&)(*&)(*&)(*& named Message-ID: <1E50494AB755848B02FF7875@Paul-Schmehls-Computer.local> In-Reply-To: <ba5e78ea0602011504n3f91a109n47e36a234d952e72@mail.gmail.com> References: <D5344FE18CDF04BE8D501BB5@utd59514.utdallas.edu> <ba5e78ea0602011504n3f91a109n47e36a234d952e72@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On February 2, 2006 7:04:06 AM +0800 Daniel <jahilliya@gmail.com> wrote:
>
> The biggest difference between running as root and the startup script
> are the command line arguments given in either case.
>
> Script flags: -u bind -t /var/named
> CLI flags: -c /usr/local/etc/named.conf -u root
>
Yes, I know. I'm starting the daemon as root because it can't write to the
pidfile when it's started as bind.
> The man page will show you that the -t flag indicates you want named
> to chroot (recommended practice). It also is running as bind and not
> root.
>
Yes, I know that as well.
> Check out /var/named and your named config file. You will probably
> find that /var/named/named.pid is not writable by the user bind.
>
It's writeable as bind.
ls -lsa /var/named/
total 19
2 drwxr-xr-x 5 root wheel 512 Feb 1 20:30 .
2 drwxr-xr-x 20 root wheel 512 Jan 27 17:42 ..
2 -rw-r--r-- 1 bind bind 212 Feb 1 20:15 127.0.0
1 dr-xr-xr-x 4 root wheel 512 Feb 1 20:33 dev
2 drwxr-xr-x 3 root wheel 512 Feb 1 20:11 etc
2 -rw-r--r-- 1 bind bind 580 Feb 1 20:14 friendshipforest.zone
2 -r--r--r-- 1 bind bind 1511 Feb 1 20:14 named.ca
2 -rw-r--r-- 1 bind bind 6 Feb 1 20:20 named.pid
2 -rw-r--r-- 1 bind bind 516 Feb 1 20:14 stovebolt.zone
2 drwxr-xr-x 6 root wheel 512 Feb 1 20:11 var
I removed /var/named and let the script recreate it. Now it can't find
named.conf
> You may also find that the named config isn't specifying a full path
> to be used within the chroot directory (/var/named).
>
options {
directory "/var/named";
allow-transfer{
none;
};
allow-query{
any;
};
allow-recursion{
local-info;
};
listen-on{
127.0.0.1;
66.221.101.248;
};
version "nice try";
auth-nxdomain yes;
# pid-file "named.pid";
blackhole{
"bogusnet";
};
query-source address * port 53;
};
> Below is the config for my named that runs chrooted.
> directory "/";
> pid-file "/named.pid";
> dump-file "/dump/named_dump.db";
> statistics-file "/stats/named.stats";
>
> Yours may look something like:
> directory "/var/named/";
> pid-file "/var/named/named.pid";
> dump-file "/var/named/dump/named_dump.db";
> statistics-file "/etc/named/stats/named.stats";
>
And where do the zone files go? Where does the rndc.key file go? Where
does the named.conf file go?
> The paths in named.conf need to be relative to the chroot, not the base.
>
I'm not sure what you mean here. The chroot directory is /var/named. The
directory specified in named.conf is /var/named. To what are you referring
when you say "the paths"?
>>
>> When I try to start named using rndc, I get this:
>>
>> rndc start
>> rndc: connect failed: connection refused
>
> rndc does not have a command "start"
>
Missed that.
> restart is also not yet implemented.
>
Knew that.
>
> Writing your own startup scripts is unnecessary, especially for
> something that already has one (or in this case, maybe two, /etc/rc.d
> and /usr/local/etc/rc.d)
>
Except for one niggling problem. It doesn't work. Due to my ignorance,
I'm sure, but it doesn't' work.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1E50494AB755848B02FF7875>