Bug 191026

Summary: BIND should not change permissions in /var/named
Product: [Fedora] Fedora Reporter: Jørgen Thomsen <joergen>
Component: bindAssignee: Jason Vas Dias <jvdias>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind-9.3.2-20.FC5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-14 21:18:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jørgen Thomsen 2006-05-08 08:43:24 UTC 
Description of problem:
When BIND directories exist the installation should not change permissions on 
files and directories. 
An upgrade which pulled in the installation of BIND destroyed our custom 
installation and changed permissions so our utility programs could not access 
the zonefiles as well as other files kept in /var/named.
 
See bugs 190330 and 191024. 

Version-Release number of selected component (if applicable):
The one in the Fedora Core 5 DVD

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jason Vas Dias 2006-06-14 21:18:41 UTC 
The upgrade you refer to which 'destroyed our custom installation', for which
I sincerely apologize, appears to be to bind-9.3.2-4.1 from the FC-5 GOLD
release, and was probably caused by also having the 'caching-nameserver' RPM
installed, which provided a certain BIND configuration for a caching-nameserver,
replacing any existing configuration ( though it did back up any existing config
files to '.rpmsave' files ).

caching-nameserver has now been obsoleted by bind-config, which no longer 
provides any files that conflict with bind, bind-chroot, or a user's custom
config. It provides the 'named.caching-nameserver.conf', which is used by 
the initscript only if named.conf does not exist, and the 'named.rfc1912.zones'
named.conf file, for the localhost zones.

The permissions of the $ROOTDIR/{etc/{named,rndc}.*,var/named/*} files are as
mandated by our security response team, and have been the subject of many bind
security bugs, for the security provided by any bind-chroot environment rests
upon them.  The permissions of these bind configuration files and directories
are updated by RPM after each upgrade, and are correct for security - they 
should cause no problems to properly privileged users (ie. root or members of 
the 'named' group) . If the standard bind permissions do cause you problems,
please specify which permissions and the details of the problems caused.

Please try upgrading to the latest 'bind-*' release from FC-5 Updates or Rawhide 
 / FC-6 - you should have no further problems.