/var/lib/named not writable by named?
Josef Moellers
jmoellers at suse.de
Thu Jul 23 14:52:05 UTC 2020
On 23.07.20 15:56, Jeremy C. Reed wrote:
> On Wed, 22 Jul 2020, Josef Moellers wrote:
>
>> I just read that /var/lib/named is only writable by root "for security
>> reasons" (cf http://inai.de/linux/adm_ddns).
>>
>> Can anyone explain why this is so?
>
> Not BIND specific. It is a common practice when running network servers
> to drop or reduce privileges when they can. In that case, the process
> may start as root but then changes to a dedicated user. (I didn't follow
> the URL above.) If the process needs to write to any files, then the
> system can be setup for specific directories or files that are writable
> by the dedicated user.
I do understand about dropping privileges, which is perfectly OK. Named
runs as user/group named/named and so has no special privileges, but we
had an issue recently wrt transactional updates and we solved it by
making /var/lib/named owner root:named and perms rwxrwxr-t which would
allow write access only to root and named. I am weary about any security
issues which may arise from this. That's why I'm asking.
> (Also see the May 20 response I emailed that is somewhat related to
> this.)
I'll consult the archive in parallel.
Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers
mailing list