126638 – Permissions for /var/named set by BIND RPM conflict with DDNS

Bug 126638 - Permissions for /var/named set by BIND RPM conflict with DDNS

Summary: Permissions for /var/named set by BIND RPM conflict with DDNS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind
Sub Component:
Version:	2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jason Vas Dias
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	112350 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-06-24 02:52 UTC by Paul Bender
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-targeted-1.17.4.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-08-25 22:54:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Bender 2004-06-24 02:52:55 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510

Description of problem:
When the bind RPM is installed it sets the ownership and permissions
on /var/named using the line '%attr(750,root,named) %dir /var/named'
in the spec file. Since named runs as the user named, named does not
have write access to /var/named. However, named needs write access to
/var/named in order to create the journal files it uses for dynamic DNS.

Version-Release number of selected component (if applicable):
9.2.3-13

How reproducible:
Always

Steps to Reproduce:
1. Install bind, configure it for dynamic dns, and start it (named)
2. Install dhcp, configure it for dynamic dns, and start it (dhcpd).
3. Have a client make a DHCP request.
4. Stop bind (named).
    

Actual Results:  named did not create *.jnl files for the zone files
that need to be updated by dynamic DNS.

Expected Results:  named should have created the *.jnl files for the
zones that needed to be updated by dynamic DNS.

Additional info:

Comment 1 Daniel Walsh 2004-06-24 14:25:13 UTC

Can't you setup these journal files to be in a subdirectory of named
with the appropriate privs?

Dan

Comment 2 Paul Bender 2004-06-24 15:40:51 UTC

I do not know of anyway to do this. BIND creates the *.jnl files
automatically in its working directory, which is specified by the
'directory' option in /etc/named.conf. The working directory is the
same directory that contains the zone files and it is configured to by
'/var/named' by the /etc/named.conf file installed by the
caching-nameserver RPM. I do not know of any option to set the path
for the *.jnl files separate from the path for the working directory.

Comment 3 Glen Starrett 2004-06-29 00:53:46 UTC

Feeding the google search:  The error message you'll see in
/var/log/messages is:

dumping master file: tmp-XXXXPyA987: open: permission denied

and

zone my.domain.name/IN: dump failed: permission denied

Comment 4 Jason Vas Dias 2004-08-04 22:24:37 UTC

*** Bug 112350 has been marked as a duplicate of this bug. ***

Comment 5 Jason Vas Dias 2004-08-25 22:54:43 UTC

This is now fixed with selinux-policy-targeted-1.17.4-1 .

Comment 6 Jason Vas Dias 2004-08-25 22:57:51 UTC

You may need to do:
  chown named:named /var/named
The ownership of this directory was changed to root:root 
in bind-9.2.3-13 as a security measure.

Note You need to log in before you can comment on or make changes to this bug.