bind update keeps messing up write-rights

Gijs info at boer-software-en-webservices.nl
Sat Jul 19 11:55:37 UTC 2008


Christopher K. Johnson wrote:
> Gijs wrote:
>> Sam Varshavchik wrote:
>>> Gijs writes:
>>>
>>>> Hey List,
>>>>
>>>> Not sure why this is happening so perhaps someone can explain this 
>>>> to me.
>>>> Whenever I update bind it messes up/resets access rights on my zone 
>>>> files. Now normally this wouldn't be a bad thing, but because I 
>>>> have dynamic updates on, for which named creates journalizing 
>>>> files, I end up having non-writeable journalizing files. So after 
>>>> every update I end up having to manually change the access rights 
>>>> on my jnl files.
>>>>
>>>> Is anyone else having the same problem and/or is it supposed to be 
>>>> like this?
>>>
>>> You must have bind configured to run in chroot.
>>>
>>> rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you 
>>> have chroot configured, it runs this lovely bit of code:
>>>
>>>    chown -h root:named /var/named/* >/dev/null 2>&1;
>>>    chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null 
>>> 2>&1;
>>>    chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
>>>    chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.* 
>>> >/dev/null 2>&1;
>>>    chown -h named:named /var/log/named.log >/dev/null 2>&1;
>>>    chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log 
>>> >/dev/null 2>&1;
>>>    chmod 750 ${pfx}/var/named  >/dev/null 2>&1;
>>>    chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
>>>    chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
>>>    chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
>>>    chown -h named:named 
>>> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1;
>>>    chown -h named:named 
>>> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} 
>>> >/dev/null 2>&1;
>>>    chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null 2>&1;
>>>    chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*} >/dev/null 
>>> 2>&1;
>>>    chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.} 
>>> >/dev/null 2>&1;
>>>
>>> Lovely.
>>>
>> Heh, that's indeed lovely. And yea, I've got named configured to run 
>> in chroot as it is the default nowadays (at least on Fedora).
>>
> You should note that the 'dynamic' subfolder contents are set to mode 
> 660.
> Move your updateable zone files there and update the referenced paths 
> in named.conf accordingly.
>
> Chris
>
Yep, completely true. After checking the man file, it indeed says that 
writeable zone files should be placed in one of the 3 directories in 
/var/named/{data,slaves,dynamic}.
Good thing we finally got that one sorted out :)

Thanks




More information about the fedora-list mailing list