TSIG with BIND requires chmod+chgrp /etc/namedb
Dan Langille
dan at langille.org
Tue Nov 5 19:25:19 UTC 2002
On 2 Nov 2002 at 10:01, Mark.Andrews at isc.org wrote:
>
> >
> > On 1 Nov 2002 at 17:07, Kevin Darcy wrote:
> >
> > >
> > > Dan Langille wrote:
> > >
> > > > On 1 Nov 2002 at 10:22, Cricket Liu wrote:
> > > >
> > > > >
> > > > > Dan Langille wrote:
> > > > > > It appears that using TSIG with BIND for secondary domains requires a
> > > > > > chmod and chgrp of /etc/namedb.
> > > > > >
> > > > > > I've been adding TSIG to varioius domains. But I've found that on my
> > > > > > slave servers, I've had to set the directory permissions as this:
> > > > > >
> > > > > > $ ls -ld /etc/namedb/
> > > > > > drwxrwxr-x 4 root bind 512 Oct 15 09:26 /etc/namedb/
> > > > > > $ ls -ld /etc/namedb/secondary/
> > > > > > drwxr-x--- 2 bind bind 512 Oct 15 09:25 /etc/namedb/secondary/
> > > > > >
> > > > > > The original permissions on /etc/namedb are:
> > > > > > drwxr-xr-x 2 root wheel 512 Mar 9 2002 /etc/namedb
> > > > > >
> > > > > > named is running as: /usr/sbin/named -u bind -g bind
> > > > > >
> > > > > > Some bits from /etc/namedb/named.conf:
> > > > > >
> > > > > > options {
> > > > > > directory "/etc/namedb";
> > > > > >
> > > > > > I don't really liked having to change the permission of /etc/namedb
> > > > > > especially as that will be necessary for people runnning secondary
> > > > > > DNS for me.
> > > > > >
> > > > > > Any comments/suggestions?
> > > > > >
> > > > > > [I'm using named 8.3.3-REL on FreeBSD 4.6-stable]
> > > > >
> > > > > I don't see why TSIG would require that the name server be able to
> > > > > write to the working directory. The name server would need to be
> > > > > able to read the named.conf file or whatever file contained the key
> > > > > definition, but that's it.
> > > >
> > > > It sounds like you do not believe me.... ;)
> > > >
> > > > Unless I do those chmod's, I get these errors:
> > > >
> > > > named[41288]: starting (/etc/namedb/named.conf). named 8.3.3-REL Wed
> > > > Jul 31 09:19:38 PDT 2002
> > > > root at nezlok.example.org:/usr/obj/usr/src/usr.sbin/named
> > > > named[41288]: limit files set to fdlimit (1024)
> > > > named[41289]: Ready to answer queries.
> > > > named[41289]: write_tsig_info: mkstemp(tsigs.i0FeEp) for TSIG info
> > > > failed
> > > > named[41289]: unable to write tsig info: 'example.com'
> > >
> > > Yeah, it appears that BIND 8 writes TSIG keys into a temporary file. In
> > > 20/20 hindsight, perhaps it would have been smarter for it to chdir() into
> > > the directory of the associated inbound zone transfer.
> > >
> > > NOTE: I just tested BIND 9.2.2rc1 in this scenario and it doesn't appear to
> > > have the same problem. So I guess the short answer is "upgrade".
> >
> > Thanks for that information. Unfortunately, upgrading isn't an
> > option as the slave servers in question are run by other people. I
> > can't ask them to upgrade just to cater for my TSIG wishes. I'll
> > have to find another solution.
> > --
> > Dan Langille
> >
>
> Remember that there is nothing actually wrong with named writing
> to its working directory. named.run is written there by default
> as is named_dump.db, named.memstats and any core file.
>
> Writing to "/tmp" is actually more of a security risk as it is
> writable by everyone. The working directory shouldn't be.
>
> In general named should be able to write to its working directory.
>
> If I was chrooted and was worried about it I would have
>
> /etc/namedb/slave/ (writable by named)
> /etc/namedb/master/ (readable by named)
> /etc/namedb/etc/ (readable by named)
> /etc/namedb/scratch/ (writable by named)
>
> named -t /etc/namedb -u named -g named
>
> options {
> directory "/scratch";
> pid-file "named.pid";
> ...
> }
>
> zone ... {
> type master;
> file "/master/...";
> };
>
> zone ... {
> type slave;
> file "/slave/...";
> masters { ... };
> };
Thank you for that. See also this reference:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=844261+0+current/freebsd-
questions
Which contains:
This looks like a re-run of a posting you made a while back, but what
I do is just tell named.conf that /etc/namedb/secondaries is my main
directory, and that directory has write permissions for bind already.
I then use "../master/foo.com" as the directory for any master zones
I host.
What this accomplishes is that the TSIG temp files are written in the
secondaries subdirectory, and no other directories can be written to
by bind, preserving the sandbox.
--
Dan Langille
More information about the bind-users
mailing list