File System Permissions for Windows Service Account
Will
DELETE_westes at earthbroadcast.com
Mon Sep 25 18:41:14 UTC 2006
I'm liking most of this, but what is the reasoning for this permission:
- CREATOR-OWNER: special: full rights for sub-folders and files only
named has full access in your scheme. What other creator owner is there
going to be?
--
Will
"Olaf Lautenschlaeger" <ol at anova.de> wrote in message
news:ef94m9$opn$1 at sf1.isc.org...
> On Sunday, September 24, 2006 9:02 PM [GMT+1=CET],
> Will <DELETE_westes at earthbroadcast.com> wrote:
> > In BIND 9.3 under Windows, what NTFS file system permissions does the
> > service account need to run correctly?
>
> I just found out that the default permissions
> from installation didn't make too much sense.
>
> It turned out that the following will work well:
> (presumed having
> options {
> directory "C:/WinNT/system32/dns"; ...
> };
> in named.conf)
>
> for the base dir above (no inheritance,
> remove User/Power user group etc.):
> - group Administrators: full access
> - user named: full access
> - SYSTEM: Read/Execute, List folders, Read
> - CREATOR-OWNER: special: full rights for sub-folders and files only
>
> You'll probably notice that temp files are written here.
> (I've been running into trouble especially with this).
>
> {basedir}\bin:
> inherit the above (have no TSIG key files residing
> there!)
>
> {basedir}\etc:
> - Administrators: full access
> - named: full access
> - CREATOR-OWNER: special: full access for sub-folders and files only
>
> (all naming is back-translated from my german win2k)
>
> Someone will probably contradict or, even better, point
> to a more subtle rights allocation.
>
> Olaf Lautenschlaeger
> ANOVA Multimedia Studios GmbH, Rostock
More information about the bind-users
mailing list