a few notes about permissions
Måns Nilsson
mansaxel at kthnoc.net
Mon Dec 11 11:38:29 UTC 2006
--On måndag, måndag 11 dec 2006 12.02.30 +0100 Farkas Levente
<lfarkas at bppiac.hu> wrote:
> hi,
> as i wrote earlier there is a few confusion around file permissions and
> euid with nsd. i try to find anything about it but can't find the vaild
> doc. nsd run as user nsd (by defult), so create files as nsd. a few
> notes which would be useful to include in the readme:
> - /etc/nsd should have to owned by nsd (otherwise can't update zones:
> could not open file /etc/nsd/ixfr.db for append: Permission denied)
> - files in the /etc/nsd would be useful to owned by nsd.
I also noticed this -- there are some bootstrapping issues when a new
installation is started. Partly, this can be solved by smart things in
"make install" but that won't solve reconfiguration, which is why there
needs to be documentation as well.
I'd suggest that the config sample files get text along these lines.
> on the other hand
> - nsdc, nsd-patch and nsd-xfer should have to run as the configured user
> (nsd by default) so the generated db, zone and transfer files owned by
> nsd. in this case file permission would be consistent. now eg. ixfr.db
> owned by nsd while nsd.db owned by root. master zone files owned by nsd
> slaves owned by root (nsd-patch generated, yes i know cron can be run as
> a given user, but). if you assume you can write a perfect code nsd can
> run as root, if try to be safe run all tools as nsd.
Setuid shell scripts are generally complicated. Running the binaries inside
a shell script with "su" and the main script as root is doable.
--
Måns Nilsson Systems Specialist
+46 70 681 7204 cell KTHNOC
+46 8 790 6518 office MN1334-RIPE
PEGGY FLEMMING is stealing BASKET BALLS to feed the babies in VERMONT.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20061211/063316b5/attachment.bin>
More information about the nsd-users
mailing list