The RPM upgrade to the new P7 patch level of Bind changes the way bind is
run, so that it runs under user named, group named, instead of root.root.
While a good move security-wise, the installation scripts were not
sufficient to properly do this upgrade. I'm cleaning up a lot of systems
Specifically, the /var/run/named.pid file should have been set to
named.named ownership, and the entire contents of /var/named should have
been set (i.e. chown -R named.named /var/named) to ensure all existing
zone files in that directory are properly set. This last is especially
important on secondary name servers, where those files must be overwritten
by the running named process when zones are updated.
I observed this behaviour with Redhat 6.1 plus patches, but it will
certainly happen the same way on all releases to which this patch is
Further problems. It's not enough to set ownership on /var/run/named.pid, since bind wants to be able to CREATE the pid file. My solution to this is to
create a directory:
which is owned by named.named, then alter /etc/named.conf to include in the options area:
While this works, it appears it'll confuse the library of functions in /etc/rc.d/init.d/functions which expect the PID file to be in /var/run. The solution to this
would be to alter the /etc/rc.d/init.d/named script to NOT use /etc/rc.d/init.d/functions at all.
Is anyone at RedHat actually looking into a fixed RPM for this? I'm busy repatching a few dozen systems, but sooner or later the masses are going to
scream for a fixed RPM.
The current bind package uses /var/run/named/named.pid for it's pid file as
suggested in the bind FAQ.