bind update keeps messing up write-rights
Gijs
info at boer-software-en-webservices.nl
Sat Jul 19 11:55:37 UTC 2008
Christopher K. Johnson wrote:
> Gijs wrote:
>> Sam Varshavchik wrote:
>>> Gijs writes:
>>>
>>>> Hey List,
>>>>
>>>> Not sure why this is happening so perhaps someone can explain this
>>>> to me.
>>>> Whenever I update bind it messes up/resets access rights on my zone
>>>> files. Now normally this wouldn't be a bad thing, but because I
>>>> have dynamic updates on, for which named creates journalizing
>>>> files, I end up having non-writeable journalizing files. So after
>>>> every update I end up having to manually change the access rights
>>>> on my jnl files.
>>>>
>>>> Is anyone else having the same problem and/or is it supposed to be
>>>> like this?
>>>
>>> You must have bind configured to run in chroot.
>>>
>>> rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you
>>> have chroot configured, it runs this lovely bit of code:
>>>
>>> chown -h root:named /var/named/* >/dev/null 2>&1;
>>> chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null
>>> 2>&1;
>>> chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
>>> chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
>>> >/dev/null 2>&1;
>>> chown -h named:named /var/log/named.log >/dev/null 2>&1;
>>> chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log
>>> >/dev/null 2>&1;
>>> chmod 750 ${pfx}/var/named >/dev/null 2>&1;
>>> chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
>>> chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
>>> chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
>>> chown -h named:named
>>> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1;
>>> chown -h named:named
>>> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
>>> >/dev/null 2>&1;
>>> chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null 2>&1;
>>> chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*} >/dev/null
>>> 2>&1;
>>> chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
>>> >/dev/null 2>&1;
>>>
>>> Lovely.
>>>
>> Heh, that's indeed lovely. And yea, I've got named configured to run
>> in chroot as it is the default nowadays (at least on Fedora).
>>
> You should note that the 'dynamic' subfolder contents are set to mode
> 660.
> Move your updateable zone files there and update the referenced paths
> in named.conf accordingly.
>
> Chris
>
Yep, completely true. After checking the man file, it indeed says that
writeable zone files should be placed in one of the 3 directories in
/var/named/{data,slaves,dynamic}.
Good thing we finally got that one sorted out :)
Thanks
More information about the fedora-list
mailing list