[oi-dev] Anybody else running named on OI

Gary Mills gary_mills at fastmail.fm
Fri Oct 23 01:21:47 UTC 2020


On Sun, Oct 18, 2020 at 07:21:48PM -0500, Gary Mills wrote:
> 
> If I am truely the only one running named on OI, I can test some
> changes to run safely as non-root, but not on my production system.

The cause was indeed a configuration error, but not of the type I
had expected.  The configuration file is /etc/named.conf, but within
this file is the line:

      directory "/var/named";

It specifies the working directory for named.  I'm sure that most
people have this directive, but of course it will likely name a
different working directory.  The BIND 9 Administrator Reference
Manual recommends that this directory be owned by the named user,
`named' in this case.  As soon as I changed ownership of this
directory, the server began to operate normally.  The server wrote two
files into this directory.  This is new behavior.  An older version of
the server only read my zone files from that directory.

Before I made this change, when the directory was owned by root, I got
the same error I had seen on my production server.  The server went
into maintenance mode.  The messages log said:

    Oct 21 16:54:27 ryzen named[2257]: [ID 873579 daemon.error] the working directory is not writable

So, that was all it took.  I made the same change on my production
server.  It's running named as user `named' now.  The server has only
the privileges of any user process now.  The SMF logfile says:

    dns-server: Executing: /usr/sbin/named  -u named in '/root'

What should I do with this newly-acquired information?  Should it go
in a man page?  Maybe in a document instead?


-- 
-Gary Mills-		-refurb-		-Winnipeg, Manitoba, Canada-



More information about the oi-dev mailing list