bind update keeps messing up write-rights

Ed Warner edwarner99 at yahoo.com
Sun Jul 20 17:00:58 UTC 2008 

> 
> Message: 9
> Date: Sat, 19 Jul 2008 19:50:26 +0200
> From: Gijs <info at boer-software-en-webservices.nl>
> Subject: Re: bind update keeps messing up write-rights
> To: For users of Fedora <fedora-list at redhat.com>
> Message-ID:
> <48822962.5080202 at boer-software-en-webservices.nl>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Ed Warner wrote:
> > Message: 7
> > Date: Sat, 19 Jul 2008 06:26:53 -0400
> > From: "Christopher K. Johnson"
> <ckjohnson at gwi.net>
> > Subject: Re: bind update keeps messing up write-rights
> > To: For users of Fedora <fedora-list at redhat.com>
> > Message-ID: <4881C16D.7010606 at gwi.net>
> > Content-Type: text/plain; charset=ISO-8859-1;
> format=flowed
> >
> > Gijs wrote:
> >   
> >> Sam Varshavchik wrote:
> >>     
> >>> Gijs writes:
> >>>
> >>>       
> >>>> Hey List,
> >>>>
> >>>> Not sure why this is happening so perhaps
> someone can explain this
> >>>>         
> >
> >   
> >>>> to me.
> >>>> Whenever I update bind it messes up/resets
> access rights on my
> >>>>         
> > zone 
> >   
> >>>> files. Now normally this wouldn't be a
> bad thing, but because
> >>>>         
> > I have 
> >   
> >>>> dynamic updates on, for which named
> creates journalizing files, I 
> >>>> end up having non-writeable journalizing
> files. So after every 
> >>>> update I end up having to manually change
> the access rights on my 
> >>>> jnl files.
> >>>>
> >>>> Is anyone else having the same problem
> and/or is it supposed to be
> >>>>         
> >
> >   
> >>>> like this?
> >>>>         
> >>> You must have bind configured to run in
> chroot.
> >>>
> >>> rpm's %post script runs
> /usr/sbin/bind-chroot-admin where, if you 
> >>> have chroot configured, it runs this lovely
> bit of code:
> >>>
> >>>    chown -h root:named /var/named/*
> >/dev/null 2>&1;
> >>>    chown -h root:named
> ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null
> >>>       
> >
> >   
> >>> 2>&1;
> >>>    chown -h root:named /etc/{named,rndc}.*
> >/dev/null 2>&1;
> >>>    chown -h root:named
> ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.* 
> >>>       
> >>>> /dev/null 2>&1;
> >>>>         
> >>>    chown -h named:named /var/log/named.log
> >/dev/null 2>&1;
> >>>    chown -h named:named
> ${BIND_CHROOT_PREFIX}/var/log/named.log 
> >>>       
> >>>> /dev/null 2>&1;
> >>>>         
> >>>    chmod 750 ${pfx}/var/named  >/dev/null
> 2>&1;
> >>>    chmod 640 ${pfx}/var/named/* >/dev/null
> 2>&1;
> >>>    chmod 750 ${pfx}/var/named/*/.
> >/dev/null 2>&1;
> >>>    chmod 660 ${pfx}/var/log/named.log
> >/dev/null 2>&1;
> >>>    chown -h named:named 
> >>>
> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
> >/dev/null
> >>>       
> > 2>&1;
> >   
> >>>    chown -h named:named 
> >>>
> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
> 
> >>>       
> >>>> /dev/null 2>&1;
> >>>>         
> >>>    chmod 770
> ${pfx}/var/named/{data,slaves,dynamic} >/dev/null
> >>>       
> > 2>&1;
> >   
> >>>    chmod 660
> ${pfx}/var/named/{data/*,slaves/*,dynamic/*}
> >>>       
> >> /dev/null 
> >>     
> >>> 2>&1;
> >>>    chmod 770
> ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.} 
> >>>       
> >>>> /dev/null 2>&1;
> >>>>         
> >>> Lovely.
> >>>
> >>>       
> >> Heh, that's indeed lovely. And yea, I've
> got named configured to
> >>     
> > run 
> >   
> >> in chroot as it is the default nowadays (at least
> on Fedora).
> >>
> >> You should note that the 'dynamic'
> subfolder contents are set to mode
> >> 660.
> >> Move your updateable zone files there and update
> the referenced paths in 
> >> named.conf accordingly.
> >>
> >> Chris
> >>
> >>     
> >
> > Could you clarify your statement for me please?
> >
> > 1. Othe than my zone files, what else goes into
> /var/named/chroot/var/named/dynamic ?
> >
> > 2. My named.conf resides in /var/named/chroot/etc, so
> I need to make changes to point to the path -->
> /var/named/chroot/var/named/dynamic ?
> >
> > Thanks
> I cannot really clarify point 1, but I can somewhat clarify
> point 2.
> In my named.conf I now have the following:
> zone "0.168.192.in-addr.arpa" IN {
>         type master;
>         file "dynamic/named.0.168.192";
>         allow-update { key rndc; };
> };
> 
> zone "home" IN {
>         type master;
>         file "dynamic/home.zone";
>         allow-update { key rndc; };
> };
> 
> This allows named to find the zone files inside the dynamic
> folder. 
> Also, /var/named/chroot/etc/named.conf has a hardlink to
> /etc/named.conf 
> so that might be somewhat easier to type next time you want
> to edit that 
> file :). And because named is running inside a chroot, you
> cannot set 
> the path to "/var/named/chroot/var/named/dynamic"
> inside the named.conf. 
> For named, the chroot basically means that everything is
> running from 
> the /var/named/chroot directory. In other words, if you
> refer to 
> /var/named/dynamic inside your named.conf, it actually
> refers to 
> /var/named/chroot/var/named/dynamic.
> 
> Hope this makes sense :)

It made sense thanks. I changed my named.conf file and relocated my zone files and it seems to work except for a message I get when I restart named.

It says my working directory is not writable. My directory in named.conf is "/var/named" Is this the directory the warning is coming from? What should the permissions be?
Thanks,

More information about the fedora-list mailing list