From owner-freebsd-questions@FreeBSD.ORG Thu Jun 17 19:12:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91C681065686 for ; Thu, 17 Jun 2010 19:12:16 +0000 (UTC) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.103.93]) by mx1.freebsd.org (Postfix) with ESMTP id 128D18FC13 for ; Thu, 17 Jun 2010 19:12:15 +0000 (UTC) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.14.2/8.13.8) with ESMTP id o5HJC8OY022364 for ; Thu, 17 Jun 2010 14:12:08 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <201006171912.o5HJC8OY022364@dc.cis.okstate.edu> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <22362.1276801928.1@dc.cis.okstate.edu> Date: Thu, 17 Jun 2010 14:12:08 -0500 From: Martin McCormick Subject: Re: Ownership of /var/named Changes on Reboot. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2010 19:12:17 -0000 Matthew Seaman writes: > Furthermore, the default setup *is* for named to run as an unprivileged > process. The setup is very carefully designed so that named doesn't > have write permission on the directory where its configuration files are > stored, or on directories that contain static zone files, but it does > have write permission on directories it uses for zone files AXFR'd from > a master, or zone files maintained using dynamic DNS. > > This used to generate a warning from bind about not having a writable > current working directory -- which was basically harmless and could be > ignored. However recent changes mean bind needs a writable working > directory, so the latest layouts include /var/named/etc/namedb/working That turned out to be the issue. I reset the permissions to match the way they are when one first installs bind. Root owns /var/named but bind owns directories that should be writable so the trick is to set one's named.conf file to reference writable directories for all the zones, logs and named.pid. It is now starting automatically on reboot just like it should. While bind owns all the writable subdirectories, they all still have wheel as their GID. That appears to be okay since they are all only writable by owner. Thanks for explaining this annoying little mystery that has dogged me at a minor level for years. I have been running bind for Oklahoma State University for close to 18 years and one tends to stick with configurations that work. It is just time to modernize and at least configure bind in the recommended way so as to take full advantage of the clever design. It does still give the message that the working directory is not writable. Martin McCormick