[ LUGOS ] Re: [ LUGOS ] Re: [ LUGOS ] Named problem
Rok Papez
rok.papez na email.si
Sre Mar 21 17:49:47 CET 2001
Da ne bova "tezila" na lugos-list, ki ima najbrz ze poln K. binda.
On Tue, 20 Mar 2001, Borut Mrak wrote:
> > > controls {
> > > unix "/var/run/ndc" perm 0600 owner 1000 group 2000;
> > > };
> > >
> > > kjer je 1000 uid pod katerim laufas named, 2000 pa gid.
> >
> > Upam si oporekati.
>
> Ja?
>
> Kaj tocno deluje/ne deluje? Po mojih izkusnjah ne-chrootan bind, ki tece kot
> ne-root (pozenes za z named -u named -g named recimo), potrebuje nastavitve,
> kot sem jih napisal, da ndc deluje (res, pozabil sem napisat ZAKAJ rabis te
> nastavitve).
Chrootan bind, ki ga pozenem kot named.named deluje
z nastavitvam za ndc FIFO uid=0 gid=0.
..cakej bom pogledal se za RH bind package, ki ni chrootan.
OK.. storija je taka:
------------------------------------------------------
[root na Strader init.d]# ./named start
Starting named: [ OK ]
[root na Strader init.d]# cat /etc/named.conf | grep unix
unix "/var/run/ndc" perm 0600 owner 0 group 0;
[root na Strader init.d]# cat /etc/rc.d/init.d/named | grep "daemon named"
daemon named -u named -g named
[root na Strader init.d]# ndc stop
Shutdown initiated.
------------------------------------------------------
Hmmm... ocitno deluje ce nastavis FIFO owner in group na 0 ceprav
named laufa kot named.named.
-------------------------------------------------------
> > `man named.conf` pa kar malce dovoumno pravi:
> > A unix control channel is a FIFO in the file system, and access to it
> > is controlled by normal file system permissions. It is created by named
> > with the specified file mode bits (see chmod(1)), user and group owner.
> > numbers, not names. It is recommended that the permissions be re stricted
> > to administrative personnel only, or else any user on the system might be
> > able to manage the local name server.
>
> In v cem se razlikuje to, kar sem jaz naredil zgoraj od tega, kar tu pise?
> Jaz ne vidim tu cisto nic nedvoumnega.
V bistvu lahko zgornja navodila beres kot:
- FIFO se naredi z permissioni in uid/gid, ki si jih posredoval v
konfiguracijski datoteki.
- Do nje dostopas kot do katerekoli datoteke.
Iz tega bi lahko sklepal, da recimo imas userja
bind in skupino admins za katere zelis, da imajo kontrolo nad DNSom.
Potem naredis "mode=0660 uid=bind gid=admins".
Ti si pa zgoraj napisal, da mora biti uid,gid enako bindu, ki tece.
OK.. dejmo se to mojo trditev preveriti.
-----------------------------------------------------
[root na Strader /var]# cat /etc/passwd | grep rok
rok:x:500:500:Rok Papez:/home/rok:/bin/bash
[root na Strader /var]# cat /etc/named.conf | grep perm
unix "/var/run/ndc" perm 0600 owner 500 group 500;
[root na Strader /var]# /etc/rc.d/init.d/named start
Starting named: [ OK ]
[root na Strader /var]# dir run/ndc
srw------- 1 rok rok 0 Mar 21 18:24 run/ndc
[rok na Strader /etc]$ whoami && /usr/sbin/ndc stop
rok
Shutdown initiated.
[root na Strader /var]# tailf /var/log/messages
Mar 21 18:24:12 Strader named[2606]: Forwarding source address is [0.0.0.0].1029
Mar 21 18:24:12 Strader named[2607]: group = named
Mar 21 18:24:12 Strader named[2607]: user = named
Mar 21 18:24:12 Strader named[2607]: Ready to answer queries.
Mar 21 18:24:12 Strader named: named startup succeeded
Mar 21 18:24:31 Strader named[2607]: Sent NOTIFY for "domena.si IN SOA" (domena.si); 1 NS, 1 A
Mar 21 18:24:50 Strader named[2607]: named shutting down
-----------------------------------------------------
Torej moja trditev in interpretacija man strani drzi.
-----------------------------------------------------
--
best regards,
Rok Papez.
Dodatne informacije o seznamu Starilist