named-xfer errors
Ralf Hildebrandt
R.Hildebrandt at tu-bs.de
Mon Apr 10 16:36:13 UTC 2000
Am 10.04.2000 um 11:18:19 -0500 schrieb lpb at Starbase.NeoSoft.COM folgendes:
> Here's the ls -l:
>
> /var/named/usr: drwx------ 4 named named 1024 Mar 13 15:29 /var/named/usr
I don't think it needs to be writable for user named! r-x should suffice.
Principle of least privilege.
> /var/named/usr/sbin: drwxr-x--- 2 named named 1024 Mar 6 14:10 /var/named/usr/sbin
Same here.
> /var/named/usr/sbin/named-xfer: -rwxr-x--- 1 root named 1406967 Mar 6 14:09 /var/named/usr/sbin/named-xfer
Ok, it's executable for group named. Do you have /etc/group in the jail?
/etc/passwd? What happens if you change the permissions (for a test) to 555?
or to named:named, mode 550 ?
> There is a debug setting in ns_maint.c/spawnxfer() that will print out the
> args, but it means i have to rebuild with -DDEBUG. I'd rather not, but if
> the problem isn't obvious I guess I have to.
I can understand that :)
> It seems from reading the code that the vfork in spawnxfer should inherit
> the chroot from the -t. ?? !
> I see you have your named linked to /usr/sbin. I didn't see any need to
> have another "copy" of named in /usr/sbin, since there's no reason for
> anyone but user "named" to run it, and then only in the "jail". I'm curious
> to know what would happen to YOUR environment if you took that link away.
ndc invokes /usr/sbin/named, thus it needs to be there.
More information about the bind-users
mailing list