[arch-general] Bind - working directory not writeable issue - a possible fix?
For a very long time I have noticed that when starting named there is a log message or in systemctl status a line complaining about being unable to write to the working directory as in the 2nd line with date/time from the command below: [root@lapmike3 ~]# systemctl status named named.service - Internet domain name server Loaded: loaded (/usr/lib/systemd/system/named.service; enabled) Active: active (running) since Sat 2013-02-09 09:45:40 GMT; 1h 2min ago Main PID: 336 (named) CGroup: name=systemd:/system/named.service └─336 /usr/sbin/named -f -u named Feb 09 09:45:42 lapmike3 named[336]: command channel listening on ::1#953 Feb 09 09:45:42 lapmike3 named[336]: the working directory is not writable Feb 09 09:45:42 lapmike3 named[336]: managed-keys-zone: loaded serial 0 Feb 09 09:45:42 lapmike3 named[336]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Feb 09 09:45:42 lapmike3 named[336]: zone localhost/IN: loaded serial 42 Feb 09 09:45:42 lapmike3 named[336]: all zones loaded Feb 09 09:45:42 lapmike3 named[336]: running Feb 09 10:45:42 lapmike3 named[336]: listening on IPv4 interface wlan0, 10.0.0.69#53 Feb 09 10:45:42 lapmike3 named[336]: could not listen on UDP socket: permission denied Feb 09 10:45:42 lapmike3 named[336]: creating IPv4 interface wlan0 failed; interface ignored Looking at the permissions of /var/named in arch here on my laptop I see: drwxr-x--- 2 root named 4096 Dec 4 21:23 named So doing: [root@lapmike3 ~]# chmod 770 /var/named Now: drwxrwx--- 2 root named 4096 Dec 4 21:23 named And [root@lapmike3 ~]# systemctl restart named [root@lapmike3 ~]# systemctl status named named.service - Internet domain name server Loaded: loaded (/usr/lib/systemd/system/named.service; enabled) Active: active (running) since Sat 2013-02-09 10:50:48 GMT; 3s ago Process: 3619 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 3623 (named) CGroup: name=systemd:/system/named.service └─3623 /usr/sbin/named -f -u named Feb 09 10:50:48 lapmike3 named[3623]: automatic empty zone: A.E.F.IP6.ARPA Feb 09 10:50:48 lapmike3 named[3623]: automatic empty zone: B.E.F.IP6.ARPA Feb 09 10:50:48 lapmike3 named[3623]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Feb 09 10:50:48 lapmike3 named[3623]: command channel listening on 127.0.0.1#953 Feb 09 10:50:48 lapmike3 named[3623]: command channel listening on ::1#953 Feb 09 10:50:48 lapmike3 named[3623]: managed-keys-zone: loaded serial 0 Feb 09 10:50:48 lapmike3 named[3623]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Feb 09 10:50:48 lapmike3 named[3623]: zone localhost/IN: loaded serial 42 Feb 09 10:50:48 lapmike3 named[3623]: all zones loaded Feb 09 10:50:48 lapmike3 named[3623]: running Looks much better now! But the question is whether or not this is a good thing to do? Does anyone know if there are any bad consequences to resolving this problem by changing the permissions of /var/named as I have done above? If this is a good solution shouldn't that permission be set that way when the bind package (bind 9.9.2.P1-1) is initially installed, so that it does not then need changing after the install? -- mike c
Hello Mike, Le samedi 9 à 12:01, Mike Cloaked a écrit :
So doing:
[root@lapmike3 ~]# chmod 770 /var/named
But the question is whether or not this is a good thing to do? Does anyone know if there are any bad consequences to resolving this problem by changing the permissions of /var/named as I have done above? If this is a good solution shouldn't that permission be set that way when the bind package (bind 9.9.2.P1-1) is initially installed, so that it does not then need changing after the install?
I'm not familiar with Arch's bind installation, but if /var/named contains anything not generated by bind as part of its operation you probably don't want to do that. The only reference to the necessity of a writable directory I've found is in chapter 6 of the Admin Manual :
The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date automatically, without intervention from the resolver operator. ... So, whenever named is using automatic key maintenance, those two files [managed-keys.bind and managed-keys.bind.jnl] can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by named.)
I've not find those "amongst others". For the record, under FreeBSD that I'm more familiar with, the default config file contains: options { directory "/etc/namedb/working"; // more options... http://svnweb.freebsd.org/base?view=revision&revision=200563 And /etc/namedb/working belongs to used bind, is 0755 and empty until named writed its key files. Note that with an explicite directory option, you will want to have fully-qualified paths for the other directives that specify paths. -- Fred
participants (2)
-
Frédéric Perrin
-
Mike Cloaked