<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Ed Warner wrote:
<blockquote cite="mid:253234.73403.qm@web57708.mail.re3.yahoo.com"
type="cite">
<pre wrap="">Message: 7
Date: Sat, 19 Jul 2008 06:26:53 -0400
From: "Christopher K. Johnson" <a class="moz-txt-link-rfc2396E" href="mailto:ckjohnson@gwi.net"><ckjohnson@gwi.net></a>
Subject: Re: bind update keeps messing up write-rights
To: For users of Fedora <a class="moz-txt-link-rfc2396E" href="mailto:fedora-list@redhat.com"><fedora-list@redhat.com></a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:4881C16D.7010606@gwi.net"><4881C16D.7010606@gwi.net></a>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Gijs wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Sam Varshavchik wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Gijs writes:
</pre>
<blockquote type="cite">
<pre wrap="">Hey List,
Not sure why this is happening so perhaps someone can explain this
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">to me.
Whenever I update bind it messes up/resets access rights on my
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->zone
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">files. Now normally this wouldn't be a bad thing, but because
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->I have
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">dynamic updates on, for which named creates journalizing files, I
end up having non-writeable journalizing files. So after every
update I end up having to manually change the access rights on my
jnl files.
Is anyone else having the same problem and/or is it supposed to be
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">like this?
</pre>
</blockquote>
<pre wrap="">You must have bind configured to run in chroot.
rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you
have chroot configured, it runs this lovely bit of code:
chown -h root:named /var/named/* >/dev/null 2>&1;
chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">2>&1;
chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
</pre>
<blockquote type="cite">
<pre wrap="">/dev/null 2>&1;
</pre>
</blockquote>
<pre wrap=""> chown -h named:named /var/log/named.log >/dev/null 2>&1;
chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log
</pre>
<blockquote type="cite">
<pre wrap="">/dev/null 2>&1;
</pre>
</blockquote>
<pre wrap=""> chmod 750 ${pfx}/var/named >/dev/null 2>&1;
chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
chown -h named:named
/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->2>&1;
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""> chown -h named:named
${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
</pre>
<blockquote type="cite">
<pre wrap="">/dev/null 2>&1;
</pre>
</blockquote>
<pre wrap=""> chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->2>&1;
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""> chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*}
</pre>
</blockquote>
<pre wrap="">/dev/null
</pre>
<blockquote type="cite">
<pre wrap="">2>&1;
chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
</pre>
<blockquote type="cite">
<pre wrap="">/dev/null 2>&1;
</pre>
</blockquote>
<pre wrap="">Lovely.
</pre>
</blockquote>
<pre wrap="">Heh, that's indeed lovely. And yea, I've got named configured to
</pre>
</blockquote>
<pre wrap=""><!---->run
</pre>
<blockquote type="cite">
<pre wrap="">in chroot as it is the default nowadays (at least on Fedora).
You should note that the 'dynamic' subfolder contents are set to mode
660.
Move your updateable zone files there and update the referenced paths in
named.conf accordingly.
Chris
</pre>
</blockquote>
<pre wrap=""><!---->
Could you clarify your statement for me please?
1. Othe than my zone files, what else goes into /var/named/chroot/var/named/dynamic ?
2. My named.conf resides in /var/named/chroot/etc, so I need to make changes to point to the path --> /var/named/chroot/var/named/dynamic ?
Thanks</pre>
</blockquote>
I cannot really clarify point 1, but I can somewhat clarify point 2.<br>
In my named.conf I now have the following:<br>
zone "0.168.192.in-addr.arpa" IN {<br>
type master;<br>
file "dynamic/named.0.168.192";<br>
allow-update { key rndc; };<br>
};<br>
<br>
zone "home" IN {<br>
type master;<br>
file "dynamic/home.zone";<br>
allow-update { key rndc; };<br>
};<br>
<br>
This allows named to find the zone files inside the dynamic folder.
Also, /var/named/chroot/etc/named.conf has a hardlink to
/etc/named.conf so that might be somewhat easier to type next time you
want to edit that file :). And because named is running inside a
chroot, you cannot set the path to
"/var/named/chroot/var/named/dynamic" inside the named.conf. For named,
the chroot basically means that everything is running from the
/var/named/chroot directory. In other words, if you refer to
/var/named/dynamic inside your named.conf, it actually refers to
/var/named/chroot/var/named/dynamic.<br>
<br>
Hope this makes sense :)<br>
</body>
</html>