files needing write access by nsd in /etc
Paul Wouters
paul at xelerance.com
Fri Sep 14 17:16:25 UTC 2007
On Fri, 14 Sep 2007, Paul Wouters wrote:
Upgrading to nsd-3 on a production server, I noticed:
Sep 14 12:52:51 ns0 nsd[25801]: could not open file /etc/nsd/ixfr.db for append: Permission denied
Checking the original configure script, I also noticed the setting for
xfrd.state is located in /etc/nsd/.
Since in normal setups, nsd drops permissions from root to nsd, and the
user nsd should not be allowed to write configuration files in /etc/nsd
for security reasons, this is not an ideal default. Also, these files are
not configuration files, but state files, and should really be located
in /var/lib/nsd or /var/cache/nsd.
This would then also make it play better with technologies like SElinux.
I've changed the Fedora spec file to place the files in those directories,
but its worth considering changing the defaults in the configure script
as well.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the nsd-users
mailing list