Bug 245638

Summary: DNS updates by dhcp are blocked by wrong permissions
Product: [Fedora] Fedora Reporter: David A. De Graaf <dad>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-28 12:50:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David A. De Graaf 2007-06-25 20:13:25 UTC 
Description of problem:  dhcp cannot update dynamic assignments in
/var/named/chroot/var

Version-Release number of selected component (if applicable):
bind-chroot-9.3.4-5.fc6

How reproducible:
Pristine F7 has a basic permissions flaw.

Steps to Reproduce:
1. Configure dhcp.conf and named.conf to allow dynamic IP assignments and
updates to named data.

2. Have a new visiting computer come onto the network and be assigned an IP.

3. Note that 'host name' can find no data for this machine.

  
Actual results:  DNS data is not available for a new visitor machine.


Expected results:  DNS should be available after an IP is assigned.


Additional info:  The default permissions are:
# ll -d /var/named/chroot/var/named
drwxr-x--- 4 root named 4096 2007-05-24 10:55 /var/named/chroot/var/named/

The permissions should be:
# ll -d /var/named/chroot/var/named
drwxrwx--- 4 root named 4096 Jun 24 08:30 /var/named/chroot/var/named/

If group named is given write permissions, dhcp can write the necessary files:
# ll /var/named/chroot/var/named/*.jnl
-rw-r--r-- 1 named named 1847 Jun 24 08:18  \
   /var/named/chroot/var/named/192.168.2.jnl
-rw-r--r-- 1 named named 2291 Jun 24 08:18  \
   /var/named/chroot/var/named/datix.lan.jnl

and DNS data for the new machine will be found.  With the default permissions
the proper functioning of dhcp and named together is foiled.

This error has been around for years.  Please fix it.
Comment 1 Adam Tkac 2007-06-28 12:50:42 UTC 
/var/named directory will have _never_ got rwxrwx--- perms. This could be big
security hazard. When you need dynamic DNS please see man named about
ENABLE_ZONE_WRITE parameter and about named_write_master_zones selinux boolean.
In Fedora 7 exists three directories where named could write - /var/named/data
(logs, stats etc), /var/named/slaves (for slave zones) and /var/named/dynamic
(for dynamic DNS zones). /var/named/dynamic directory is designed for your
purposes. Please put your zones there. You could also set
named_write_master_zones boolean and ENABLE_ZONE_WRITE parameter and then your
zones in /var/named could be writable. But this approach is deprecated and in
future Fedoras only data, slaves and dynamic directories could be writable.

Regards, Adam