/var/lib/named not writable by named?

Josef Moellers jmoellers at suse.de
Thu Jul 23 14:52:05 UTC 2020

On 23.07.20 15:56, Jeremy C. Reed wrote:
> On Wed, 22 Jul 2020, Josef Moellers wrote:
>> I just read that /var/lib/named is only writable by root "for security
>> reasons" (cf http://inai.de/linux/adm_ddns).
>> Can anyone explain why this is so?
> Not BIND specific. It is a common practice when running network servers 
> to drop or reduce privileges when they can. In that case, the process 
> may start as root but then changes to a dedicated user. (I didn't follow 
> the URL above.) If the process needs to write to any files, then the 
> system can be setup for specific directories or files that are writable 
> by the dedicated user.

I do understand about dropping privileges, which is perfectly OK. Named
runs as user/group named/named and so has no special privileges, but we
had an issue recently wrt transactional updates and we solved it by
making /var/lib/named owner root:named and perms rwxrwxr-t which would
allow write access only to root and named. I am weary about any security
issues which may arise from this. That's why I'm asking.

> (Also see the May 20 response I emailed that is somewhat related to 
> this.)

I'll consult the archive in parallel.

SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

More information about the bind-workers mailing list