[ LUGOS ] Re: [ LUGOS ] Named problem

Wed Mar 21 17:49:47 CET 2001

Da ne bova "tezila" na lugos-list, ki ima najbrz ze poln K. binda.

On Tue, 20 Mar 2001, Borut Mrak wrote:
> > > controls {
> > >         unix "/var/run/ndc" perm 0600 owner 1000 group 2000;
> > > };
> > >
> > > kjer je 1000 uid pod katerim laufas named, 2000 pa gid.
> >
> > Upam si oporekati.
> 
> Ja?
> 
> Kaj tocno deluje/ne deluje? Po mojih izkusnjah ne-chrootan bind, ki tece kot 
> ne-root (pozenes za z named -u named -g named recimo), potrebuje nastavitve, 
> kot sem jih napisal, da ndc deluje (res, pozabil sem napisat ZAKAJ rabis te 
> nastavitve).

Chrootan bind, ki ga pozenem kot named.named deluje
z nastavitvam za ndc FIFO uid=0 gid=0.

..cakej bom pogledal se za RH bind package, ki ni chrootan.
OK.. storija je taka:
------------------------------------------------------
[root at Strader init.d]# ./named start
Starting named:                                            [  OK  ]
[root at Strader init.d]# cat /etc/named.conf | grep unix
        unix "/var/run/ndc" perm 0600 owner 0 group 0;
[root at Strader init.d]# cat /etc/rc.d/init.d/named | grep "daemon named"
        daemon named -u named -g named
[root at Strader init.d]# ndc stop
Shutdown initiated.
------------------------------------------------------
Hmmm... ocitno deluje ce nastavis FIFO owner in group na 0 ceprav
named laufa kot named.named.
-------------------------------------------------------

> > `man named.conf` pa kar malce dovoumno pravi:
> >      A unix control channel is a FIFO in the file system, and access to it
> > is controlled by normal file system permissions.  It is created by named
> > with the specified file mode bits (see chmod(1)),  user and group owner.
> > numbers, not names.  It is recommended that the permissions be re stricted
> > to administrative personnel only, or else any user on the system might be
> > able to manage the local name server.
> 
> In v cem se razlikuje to, kar sem jaz naredil zgoraj od tega, kar tu pise? 
> Jaz ne vidim tu cisto nic nedvoumnega.

V bistvu lahko zgornja navodila beres kot:
- FIFO se naredi z permissioni in uid/gid, ki si jih posredoval v
konfiguracijski datoteki.
- Do nje dostopas kot do katerekoli datoteke.

Iz tega bi lahko sklepal, da recimo imas userja
bind in skupino admins za katere zelis, da imajo kontrolo nad DNSom.
Potem naredis "mode=0660 uid=bind gid=admins".

Ti si pa zgoraj napisal, da mora biti uid,gid enako bindu, ki tece.

OK.. dejmo se to mojo trditev preveriti.
-----------------------------------------------------
[root at Strader /var]# cat /etc/passwd | grep rok
rok:x:500:500:Rok Papez:/home/rok:/bin/bash 
[root at Strader /var]# cat /etc/named.conf | grep perm
        unix "/var/run/ndc" perm 0600 owner 500 group 500;
[root at Strader /var]# /etc/rc.d/init.d/named start
Starting named:                                            [  OK  ]
[root at Strader /var]# dir run/ndc
srw-------    1 rok      rok             0 Mar 21 18:24 run/ndc
[rok at Strader /etc]$ whoami && /usr/sbin/ndc stop
rok
Shutdown initiated.
[root at Strader /var]# tailf /var/log/messages
Mar 21 18:24:12 Strader named[2606]: Forwarding source address is [0.0.0.0].1029
Mar 21 18:24:12 Strader named[2607]: group = named
Mar 21 18:24:12 Strader named[2607]: user = named
Mar 21 18:24:12 Strader named[2607]: Ready to answer queries.
Mar 21 18:24:12 Strader named: named startup succeeded
Mar 21 18:24:31 Strader named[2607]: Sent NOTIFY for "domena.si IN SOA" (domena.si); 1 NS, 1 A
Mar 21 18:24:50 Strader named[2607]: named shutting down 
-----------------------------------------------------
Torej moja trditev in interpretacija man strani drzi.
-----------------------------------------------------

-- 
best regards,
Rok Papez.