[oi-dev] Anybody else running named on OI

stes@PANDORA.BE stes at telenet.be
Fri Oct 23 06:49:17 UTC 2020 

I'm glad you figured out a solution or workaround.

It's true that running BIND with -u option (e.g. -u named) is a classical way to run BIND as non-root, so the SMF service could (or already is) encourage that.

If you check out with GIT : git clone oi-userland

and you check the Makefile of the components/network/bind

There is a directory 

   oi-userland/components/network/bind/Solaris

For the server.xml there is a comment

        <!--
                user: Run bind as the specified users, using the -u
                command line option.
        -->
        <propval name='user' type='astring' value='named' />


Perhaps you can add as a comment there what you have discovered ?

This can be a note in the server.xml comments that could be useful for other users,
so that they don't run into that same issue.

You could then create a "pull request" for it.


Regards,
David Stes





----- Op 23 okt 2020 om 3:21 schreef Gary Mills gary_mills at fastmail.fm:

> On Sun, Oct 18, 2020 at 07:21:48PM -0500, Gary Mills wrote:
>> 
>> If I am truely the only one running named on OI, I can test some
>> changes to run safely as non-root, but not on my production system.
> 
> The cause was indeed a configuration error, but not of the type I
> had expected.  The configuration file is /etc/named.conf, but within
> this file is the line:
> 
>      directory "/var/named";
> 
> It specifies the working directory for named.  I'm sure that most
> people have this directive, but of course it will likely name a
> different working directory.  The BIND 9 Administrator Reference
> Manual recommends that this directory be owned by the named user,
> `named' in this case.  As soon as I changed ownership of this
> directory, the server began to operate normally.  The server wrote two
> files into this directory.  This is new behavior.  An older version of
> the server only read my zone files from that directory.
> 
> Before I made this change, when the directory was owned by root, I got
> the same error I had seen on my production server.  The server went
> into maintenance mode.  The messages log said:
> 
>    Oct 21 16:54:27 ryzen named[2257]: [ID 873579 daemon.error] the working
>    directory is not writable
> 
> So, that was all it took.  I made the same change on my production
> server.  It's running named as user `named' now.  The server has only
> the privileges of any user process now.  The SMF logfile says:
> 
>    dns-server: Executing: /usr/sbin/named  -u named in '/root'
> 
> What should I do with this newly-acquired information?  Should it go
> in a man page?  Maybe in a document instead?
> 
> 
> --
> -Gary Mills-		-refurb-		-Winnipeg, Manitoba, Canada-
> 
> _______________________________________________
> oi-dev mailing list
> oi-dev at openindiana.org
> https://openindiana.org/mailman/listinfo/oi-dev

More information about the oi-dev mailing list