[nsd-users] files needing write access by nsd in /etc

[Mark Santcroos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Paul Wouters wrote:
> On Fri, 14 Sep 2007, Paul Wouters wrote:
> 
> Upgrading to nsd-3 on a production server, I noticed:
> 
> Sep 14 12:52:51 ns0 nsd[25801]: could not open file /etc/nsd/ixfr.db for append: Permission denied
> 
> Checking the original configure script, I also noticed the setting for
> xfrd.state is located in /etc/nsd/.
> 
> Since in normal setups, nsd drops permissions from root to nsd, and the
> user nsd should not be allowed to write configuration files in /etc/nsd
> for security reasons, this is not an ideal default. Also, these files are
> not configuration files, but state files, and should really be located
> in /var/lib/nsd or /var/cache/nsd.
> 
> This would then also make it play better with technologies like SElinux.
> 
> I've changed the Fedora spec file to place the files in those directories,
> but its worth considering changing the defaults in the configure script
> as well.

You are right that these locations are not the ideal place. It is caused
by the fact that these files were not written to in the previous
versions of NSD.

The downside of changing it is that it has been the default for ages and
that we don't want to surprise users too much with files in other locations.

We will rethink the locations, come up with sensible alternatives and
apply it. We will do it only to the 3.1 feature branch, and not the 3.0
bugfix branch. We will then communicate clearly what is changed so that
users won't be surprised.

Regards,

Mark

- --
Mark Santcroos
NLnet Labs
http://www.nlnetlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG76t1vgq6Qtvn644RAuPZAJ9gTrgxhic7elLNVZEAm3U94a0SKQCfYanw
VElr1R3pf/F3WvvijamGNS0=
=3EmK
-----END PGP SIGNATURE-----