fedora core 9 bind problem

Mark Andrews Mark_Andrews at isc.org
Thu Jun 26 22:51:28 UTC 2008 

> On Thu, Jun 26, 2008 at 10:19:25AM +1000, Mark Andrews wrote:
> > 
> > 	Named has *alway* required a writeable working directory.
> > 	This was explicitly pointed out in earlier versions of
> > 	manuals, etc.  The working directory is the default write
> > 	location for lots of files, in addition it is the default
> > 	on most OS's for core dumps.  Failure to provide this will
> > 	may cause some operations to fail.  It may also make it
> > 	more difficult to diagnose fatal problems which cause named
> > 	to exit.
> 
> Hm, could you point me why exactly working directory is required to be
> writable? We have writable subdirectories in working directory for
> secondary zones, DDNS zones, runtime information but many of files
> don't have to be writable - like zone files (non DDNS zones), keys
> etc. It improves security and doesn't affect named.

Please prove your assertion that a non-writable working directory
improves security.  Remember the working directory does not need
to be "/var/named". "/var/named/working", which is empty, will do
just fine.

> Only core files
> might be problem (it was discussed some time ago) but this is not
> common situation and admin can explicitly make working directory
> writable.

Which does not help with non-(easily)-reproducable conditions.  The
point in having the directory writable is that you catch the state
the server is in when you have a problem.

> > 	If the defaults presented by the OS don't meet the applications
> > 	needs then the defaults are wrong and should be corrected.
> > 	"defaults" here covers both the file system and the contents
> > 	of named.conf.
> > 
> > 	Mark
> 
> I'm ready to make working directory writable but I don't see any
> benefit now. Could you point me in which situations named could have
> problems?

Failure to write a core is a problem for anyone that wants support.
Named, deliberately, attempts to write core files.

Mark

> Adam
> 
> -- 
> Adam Tkac, Red Hat, Inc.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list