/var/lib/named not writable by named?

Josef Moellers jmoellers at suse.de
Thu Jul 23 15:14:43 UTC 2020


On 23.07.20 15:56, Jeremy C. Reed wrote:
> On Wed, 22 Jul 2020, Josef Moellers wrote:
> 
>> I just read that /var/lib/named is only writable by root "for security
>> reasons" (cf http://inai.de/linux/adm_ddns).
>>
>> Can anyone explain why this is so?
> 
> Not BIND specific. It is a common practice when running network servers 
> to drop or reduce privileges when they can. In that case, the process 
> may start as root but then changes to a dedicated user. (I didn't follow 
> the URL above.) If the process needs to write to any files, then the 
> system can be setup for specific directories or files that are writable 
> by the dedicated user.

I just consultet my notes on this issue and what it was all about and it
seems that what I found re /var/lib/named to be writable by root only is
not true:

For transactional updates we use systemd-tmpfiles to construct the
/var/lib/named subtree and the spec file has /var/lib/named owner
named:named and perms 755, so it IS writable by named. The problem we
faced was that systemd-tmpfiles choked on the fact that for the
chroot-ed named, a set of subdirectories needed to be created which are
owned by root and that is forbidden according to systemd-tmpfile's
rules: when traversing the tree, a switch from privileged to
nonprivileged owner (eg root -> named) is OK but nonprivileged to
privileged (eg named -> root) is not and that is what happened with some
of the subdirectories the chroot-ed named needed, eg etc and dev! This
may be to prevent an unprivileged user to remove the subdirectories and
set up new ones (which are then not owned by root, but that may easily
go undetected).

To overcome that, we changed /var/lib/named to root:named with perms
rwxrwxr-t so systemd-tmpfiles is satisfied and named can still write to
/var/lib/named (/var/lib/named/var/lib/named being a symlink to
/var/lib/named, so both, the non-chroot-ed named and the chroot-ed named
will need to have write-access).

TL;DR AFAICS my original statement was wrong.

Thanks anyway for listening/reading and ... stay healthy!

Josef
-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer


More information about the bind-workers mailing list