Newbie: db.files Who owns them?

Joseph S D Yao jsdy at cospo.osis.gov
Wed Jun 27 23:55:45 UTC 2001 

On Wed, Jun 27, 2001 at 08:25:26PM +0000, Manchild wrote:
> I did an ls -l in the /var/named directory and I am wondering who should own
> these. Do they are to be root:root or named:named. This is Bind 8.2.3.
> 
> [root at dingding /root]# cd /var/named
> [root at dingding named]# ls -l
> total 20
> -rw-r--r--    1 root     root          228 Jun  5 00:06 127.0.0.zone
> -rw-r--r--    1 root     root          184 Jun  5 00:06 localhost.zone
> -rw-r--r--    1 root     root         2769 Feb  3  2000 named.ca
> -rw-r--r--    1 root     root          187 Apr 19 17:56 named.local
> -rw-r--r--    1 root     root         2769 Jun  5 00:07 root.hint
> [root at dingding named]#

The zone files for zones for which your name server is "master" are
owned by either whoever created them or whoever last checked them out
and modified them.  [You do use RCS or CVS or something similar,
right?]  They just have to be readable by the name server as the
UID/GID under which you're running it.

The zone files for zones for which your name server is "slave" are
owned by the user ID under which you are running 'named', which is
configurable.  Therefore, of course, the directory into which they are
to be written must be writable by that user.  (After getting to a
certain level of complexity, I started having separate directories for
the "master" and "slave" zone files; and I rarely look at the "slave"
zone files any more.)

As for who "should" own the zone files ... I would say, whoever is
running the zone!  Sometimes, you might have different people running
different zones, and then those people might need access to their own
zone file but nobody else's.  Sometimes you have "the system
adminstrator" taking care of all of the zone files.  I would then have
them owned by a user ID that is NOT anyone's personal ID and is NOT
root.  Named is fine; I use bin because I don't separate powers on the
name server machines.  ;-)  Or I give group access to those privileged
to check the file out of RCS and modify it, and then it's owned [as I
said] by whoever last checked it out and modified it.

<rant>
Never do anything as "root" on your machine.  Never, ever, ever.  Not
ever.  Unless you have to.  And even then don't.  Unless you can't do
it any other way.  And really, really, try to find that other way.
</rant>

Obviously, I have seen really stupid things done, occasionally by
myself, as root.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
OSIS Center Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list