bind update keeps messing up write-rights
Gijs
info at boer-software-en-webservices.nl
Sat Jul 19 17:50:26 UTC 2008
Ed Warner wrote:
> Message: 7
> Date: Sat, 19 Jul 2008 06:26:53 -0400
> From: "Christopher K. Johnson" <ckjohnson at gwi.net>
> Subject: Re: bind update keeps messing up write-rights
> To: For users of Fedora <fedora-list at redhat.com>
> Message-ID: <4881C16D.7010606 at gwi.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Gijs wrote:
>
>> Sam Varshavchik wrote:
>>
>>> Gijs writes:
>>>
>>>
>>>> Hey List,
>>>>
>>>> Not sure why this is happening so perhaps someone can explain this
>>>>
>
>
>>>> to me.
>>>> Whenever I update bind it messes up/resets access rights on my
>>>>
> zone
>
>>>> files. Now normally this wouldn't be a bad thing, but because
>>>>
> I have
>
>>>> dynamic updates on, for which named creates journalizing files, I
>>>> end up having non-writeable journalizing files. So after every
>>>> update I end up having to manually change the access rights on my
>>>> jnl files.
>>>>
>>>> Is anyone else having the same problem and/or is it supposed to be
>>>>
>
>
>>>> like this?
>>>>
>>> You must have bind configured to run in chroot.
>>>
>>> rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you
>>> have chroot configured, it runs this lovely bit of code:
>>>
>>> chown -h root:named /var/named/* >/dev/null 2>&1;
>>> chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null
>>>
>
>
>>> 2>&1;
>>> chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
>>> chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
>>>
>>>> /dev/null 2>&1;
>>>>
>>> chown -h named:named /var/log/named.log >/dev/null 2>&1;
>>> chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log
>>>
>>>> /dev/null 2>&1;
>>>>
>>> chmod 750 ${pfx}/var/named >/dev/null 2>&1;
>>> chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
>>> chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
>>> chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
>>> chown -h named:named
>>> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null
>>>
> 2>&1;
>
>>> chown -h named:named
>>> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
>>>
>>>> /dev/null 2>&1;
>>>>
>>> chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null
>>>
> 2>&1;
>
>>> chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*}
>>>
>> /dev/null
>>
>>> 2>&1;
>>> chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
>>>
>>>> /dev/null 2>&1;
>>>>
>>> Lovely.
>>>
>>>
>> Heh, that's indeed lovely. And yea, I've got named configured to
>>
> run
>
>> in chroot as it is the default nowadays (at least on Fedora).
>>
>> You should note that the 'dynamic' subfolder contents are set to mode
>> 660.
>> Move your updateable zone files there and update the referenced paths in
>> named.conf accordingly.
>>
>> Chris
>>
>>
>
> Could you clarify your statement for me please?
>
> 1. Othe than my zone files, what else goes into /var/named/chroot/var/named/dynamic ?
>
> 2. My named.conf resides in /var/named/chroot/etc, so I need to make changes to point to the path --> /var/named/chroot/var/named/dynamic ?
>
> Thanks
I cannot really clarify point 1, but I can somewhat clarify point 2.
In my named.conf I now have the following:
zone "0.168.192.in-addr.arpa" IN {
type master;
file "dynamic/named.0.168.192";
allow-update { key rndc; };
};
zone "home" IN {
type master;
file "dynamic/home.zone";
allow-update { key rndc; };
};
This allows named to find the zone files inside the dynamic folder.
Also, /var/named/chroot/etc/named.conf has a hardlink to /etc/named.conf
so that might be somewhat easier to type next time you want to edit that
file :). And because named is running inside a chroot, you cannot set
the path to "/var/named/chroot/var/named/dynamic" inside the named.conf.
For named, the chroot basically means that everything is running from
the /var/named/chroot directory. In other words, if you refer to
/var/named/dynamic inside your named.conf, it actually refers to
/var/named/chroot/var/named/dynamic.
Hope this makes sense :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080719/b8571bcc/attachment-0001.htm>
More information about the fedora-list
mailing list