freebsd stable - Aug 2006 - named rc.d

Apologies if posted to wrong list, the rc.d script for named chowns
/etc/namedb to root:wheel if set to bind:bind why is this?  A slave
named server running as bind user cannot download new slave zones if
dir ownership is root or update it if file ownerships are root which I
sometimes see.

Chris

> Apologies if posted to wrong list, the rc.d script for named chowns
> /etc/namedb to root:wheel if set to bind:bind why is this?  A slave
> named server running as bind user cannot download new slave zones if
> dir ownership is root or update it if file ownerships are root which I
> sometimes see.
Slave zones should be put in the slave subdirectory which is owned by
bind.  You want as few directories/files owned by the bind "run as"
user
as possible to prevent damage if that user becomes compromised.

> Apologies if posted to wrong list, the rc.d script for named chowns
> /etc/namedb to root:wheel if set to bind:bind why is this?  A slave
> named server running as bind user cannot download new slave zones if
> dir ownership is root or update it if file ownerships are root which I
> sometimes see.
	Use /etc/namedb/slave for slave zone.
	Use /etc/namedb/dynamic for dynamic zone.

	Mark

# $FreeBSD: src/etc/mtree/BIND.chroot.dist,v 1.6 2004/11/04 05:24:29 gshapiro
Exp $
#
# Please see the file src/etc/mtree/README before making changes to this file.
#

/set type=dir uname=root gname=wheel mode=0755
.
    dev             mode=0555
    ..
    etc
        namedb
            dynamic uname=bind
            ..
            master
            ..
            slave   uname=bind
            ..
        ..
    ..
/set type=dir uname=bind gname=wheel mode=0755
    var             uname=root
        dump
        ..
        log
        ..
        run
            named
            ..
        ..
        stats
        ..
    ..
..
 
> Chris
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

On 02/08/06, Mark Andrews <Mark_Andrews@isc.org>
wrote:
>
> > Apologies if posted to wrong list, the rc.d script for named chowns
> > /etc/namedb to root:wheel if set to bind:bind why is this?  A slave
> > named server running as bind user cannot download new slave zones if
> > dir ownership is root or update it if file ownerships are root which I
> > sometimes see.
>
>        Use /etc/namedb/slave for slave zone.
>        Use /etc/namedb/dynamic for dynamic zone.
>
>        Mark
>
> # $FreeBSD: src/etc/mtree/BIND.chroot.dist,v 1.6 2004/11/04 05:24:29
gshapiro Exp $
> #
> # Please see the file src/etc/mtree/README before making changes to this
file.
> #
>
> /set type=dir uname=root gname=wheel mode=0755
> .
>    dev             mode=0555
>    ..
>    etc
>        namedb
>            dynamic uname=bind
>            ..
>            master
>            ..
>            slave   uname=bind
>            ..
>        ..
>    ..
> /set type=dir uname=bind gname=wheel mode=0755
>    var             uname=root
>        dump
>        ..
>        log
>        ..
>        run
>            named
>            ..
>        ..
>        stats
>        ..
>    ..
> ..
>
> > Chris
> > _______________________________________________
> > freebsd-stable@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org
>
thanks to all, I see now.  So using the subdir is the correct way.

Chris