bind update keeps messing up write-rights

Christopher K. Johnson ckjohnson at gwi.net
Sat Jul 19 10:26:53 UTC 2008 

Gijs wrote:
> Sam Varshavchik wrote:
>> Gijs writes:
>>
>>> Hey List,
>>>
>>> Not sure why this is happening so perhaps someone can explain this 
>>> to me.
>>> Whenever I update bind it messes up/resets access rights on my zone 
>>> files. Now normally this wouldn't be a bad thing, but because I have 
>>> dynamic updates on, for which named creates journalizing files, I 
>>> end up having non-writeable journalizing files. So after every 
>>> update I end up having to manually change the access rights on my 
>>> jnl files.
>>>
>>> Is anyone else having the same problem and/or is it supposed to be 
>>> like this?
>>
>> You must have bind configured to run in chroot.
>>
>> rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you 
>> have chroot configured, it runs this lovely bit of code:
>>
>>    chown -h root:named /var/named/* >/dev/null 2>&1;
>>    chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null 
>> 2>&1;
>>    chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
>>    chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.* 
>> >/dev/null 2>&1;
>>    chown -h named:named /var/log/named.log >/dev/null 2>&1;
>>    chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log 
>> >/dev/null 2>&1;
>>    chmod 750 ${pfx}/var/named  >/dev/null 2>&1;
>>    chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
>>    chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
>>    chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
>>    chown -h named:named 
>> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1;
>>    chown -h named:named 
>> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} 
>> >/dev/null 2>&1;
>>    chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null 2>&1;
>>    chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*} >/dev/null 
>> 2>&1;
>>    chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.} 
>> >/dev/null 2>&1;
>>
>> Lovely.
>>
> Heh, that's indeed lovely. And yea, I've got named configured to run 
> in chroot as it is the default nowadays (at least on Fedora).
>
You should note that the 'dynamic' subfolder contents are set to mode 660.
Move your updateable zone files there and update the referenced paths in 
named.conf accordingly.

Chris

-- 
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #804005699817957

More information about the fedora-list mailing list