Re: bind-chroot directory permissions?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim:
>> Also, how have you got SELinux set?

Tom Horsley:
> Nah, selinux gets turned off first thing.

I'd recommend using it with any public services.  And even on private
networks, where you might have rogue clients.

But I have to ask, did you actually disable it, or just put it into
permissive mode?  It's been found that it still does block some things
in permissive mode.  I don't recall what the reported /things/ were,
though.

> I didn't have the /var/named/chroot/var/named/data
> directory, but I created it, and I still see it
> writing .jnl files in /var/named/chroot/var/named

I just listed some samples.  My main server is still on Fedora Core 4,
though I've dabbled with slave servers on up to Fedora 9, I think.

Looking at my old notes, I'd see error messages like:

  dumping master file: tmp-XXXXMkOQYs: open: permission denied

  transfer of 'example.com/IN' from 192.168.0.1#53: failed while receiving responses: permission denied

But everything looked like it should be working correctly.  

Later I found out that slave records should be written into a slaves
subdirectory.  As I recall, there wasn't any instructions about that
*HAVING* to be done.  

And I had to change SELinux rule settings, so that the master name
server can change master records, this was necessary as my DHCP server
would update my DNS records, but the default settings disallow that for
security reasons.  I seem to recall that there was a later change about
placing dynamic master files in a different directory, as well, somewhat
like how the slaves subdirectory is used.

One thing that gets you while testing is that the server doesn't write
changes to the zone files immediately, it caches things for a few
minutes (15, back in the days I was setting up mine), then writes them.
That way it only does one write every 15 minutes, rather than every time
some details change - which could be a lot on a big LAN.

When I moved from running BIND on Red Hat Linux to Fedora, I had to
change a named.conf setting about allowing updates.  It used to be more
allowing, and you could allow things by IP.  Later, you had to use a
shared key file (e.g. /etc/rndc.key") as the authenticator.

Some snippets from my /etc/named.conf file:

# Let only the local machine control the server:

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/etc/rndc.key";

zone "example.com" {
        type master;
        file "example.com.zone";
        allow-update { key "rndckey"; };
        allow-transfer { 192.168.0/24; };
        notify yes;
};

zone  "0.168.192.in-addr.arpa" { 
        type master; 
        file  "0.168.192.in-addr.arpa.zone"; 
        allow-update { key "rndckey"; };
        allow-transfer { 192.168.0/24; };
        notify yes;
};

This was a chrooted server, and those paths refer to inside the chroot
jail.  I had symlinks in the real /etc pointing to the chrooted files,
so that any configuration tools did actually play with the right files.
But, in the end, I gave up on using configuration tools, they were too
limiting, and often broken.

> Maybe I just have a old named.conf file that has
> been ported from one fedora to another for several
> releases and I didn't notice some change made
> to the default directories.

That sort of thing does happen.  I tend to customise newer installs by
modifying the configuration files that come with them, rather than
hoping they'll work with an older version's file.  I find I have less
problems, that way.

-- 
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux