Debian Bug report logs - #53550
bind: WISH: run nameserver as user bind, group bind

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: inaky@teknoland.com

To: submit@bugs.debian.org

Subject: bind: WISH: run nameserver as user bind, group bind

Date: Mon, 27 Dec 1999 16:00:55 +0100 (CET)

Package: bind
Version: 1:8.2.2p5-4
Severity: wishlist

        Hi

        I'd like to suggest to add a system user bind and group
bind. The nameserver 'named' would be run under this one (using
switches -g and -u at /etc/init.d/bind#start), and then changing,
after nameserver start, the user and group of /var/run/ndc to
bind.bind, as well as the mode to g+w to allow members of group bind
access to the name server control facilities.

        I've been using this approach for a while now and it works
flawlessly. Only glitch I've found is PID file creation after named
drops root privileges.

        Thanks,

        Your happy Debian user

-- System Information
Debian Release: potato
Kernel Version: Linux lithium 2.2.12 #7 vie nov 12 21:03:02 CET 1999 i686 unknown

Versions of the packages bind depends on:
ii  libc6           2.1.2-10       GNU C Library: Shared libraries and timezone
ii  netbase         3.16-8         Basic TCP/IP networking binaries

--- Begin /etc/init.d/bind (modified conffile)
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
test -x /usr/sbin/named || exit 0
case "$1" in
    start)
	echo -n "Starting domain name service: named"
	start-stop-daemon --start --quiet --exec /usr/sbin/named \
            -- -u bind -g bind
	echo "."	
        chown bind.bind /var/run/ndc
        chmod gu=rw,o= /var/run/ndc
    ;;
    stop)
	echo -n "Stopping domain name service: named"
	start-stop-daemon --stop --quiet  \
	    --pidfile /var/run/named.pid --exec /usr/sbin/named
	echo "."	
    ;;
    restart)
	/usr/sbin/ndc restart
    ;;
    
    reload)
	/usr/sbin/ndc reload
    ;;
    force-reload)
        $0 restart
    ;;
    *)
	echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
	exit 1
    ;;
esac
exit 0

--- End /etc/init.d/bind

--- Begin /etc/bind/named.conf (modified conffile)
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the 
// structure of BIND configuration files in Debian for BIND versions 8.2.1 
// and later, *BEFORE* you customize this configuration file.
//
options {
        directory "/var/cache/bind";
        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.
        // query-source address * port 53;
	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.
	// forwarders {
	// 	0.0.0.0;
	// };
};
// reduce log verbosity on issues outside our control
logging {
	category lame-servers { null; };
	category cname { null; };
};
// prime the server with knowledge of the root servers
//zone "." {
//        type hint;
//        file "/etc/bind/db.root";
//};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
// add entries for other zones below here
// Sistema TeknoDNS: información de las zonas directas
include "/var/lib/teknodns/db/zones.conf";
// Sistema TeknoDNS: información de las zonas inversas
include "/var/lib/teknodns/db/izones.conf";

--- End /etc/bind/named.conf

Message #10 received at 53550@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: inaky@teknoland.com, 53550@bugs.debian.org

Subject: Re: Bug#53550: bind: WISH: run nameserver as user bind, group bind

Date: Mon, 27 Dec 1999 10:25:37 -0700 (MST)

In article <m122bdn-000RiPC@localhost> you wrote:

>         I've been using this approach for a while now and it works
> flawlessly. Only glitch I've found is PID file creation after named
> drops root privileges.

As long as you have no dynamic interfaces (like PCMCIA card-provided 
interfaces) this will work fine.  If you aren't running as root, BIND will not
notice nor serve requests on interfaces that weren't present when it was
launched.

The request to configure BIND to run non-root is a persistent one, though, so
I suspect I'll address it somehow after the potato release.

Bdale

Message #37 received at 53550@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@sapo.pt>

To: 402231@bugs.debian.org, 92147@bugs.debian.org, 52745@bugs.debian.org, 197670@bugs.debian.org, 481921@bugs.debian.org, 157245@bugs.debian.org, 248193@bugs.debian.org, 442910@bugs.debian.org, 81252@bugs.debian.org, 156349@bugs.debian.org, 94760@bugs.debian.org, 212625@bugs.debian.org, 260915@bugs.debian.org, 402232@bugs.debian.org, 86488@bugs.debian.org, 149342@bugs.debian.org, 282239@bugs.debian.org, 128129@bugs.debian.org, 62547@bugs.debian.org, 106789@bugs.debian.org, 46856@bugs.debian.org, 85081@bugs.debian.org, 242579@bugs.debian.org, 45470@bugs.debian.org, 50013@bugs.debian.org, 88326@bugs.debian.org, 95773@bugs.debian.org, 190577@bugs.debian.org, 53550@bugs.debian.org, 132492@bugs.debian.org, 24280@bugs.debian.org, 441290@bugs.debian.org, 88982@bugs.debian.org, 355787@bugs.debian.org, 199252@bugs.debian.org, 70079@bugs.debian.org, 213706@bugs.debian.org, 129710@bugs.debian.org, 170872@bugs.debian.org, 86013@bugs.debian.org, 280955@bugs.debian.org, 260759@bugs.debian.org, 99538@bugs.debian.org, 234167@bugs.debian.org, 132582@bugs.debian.org, 81190@bugs.debian.org, 352054@bugs.debian.org, 169124@bugs.debian.org, 132494@bugs.debian.org, 55032@bugs.debian.org, 85909@bugs.debian.org, 197669@bugs.debian.org, control@bugs.debian.org, bind9@packages.debian.org

Subject: Reassigning bugs from bind to bind9

Date: Sun, 13 Jul 2008 23:01:40 +0100

reassign 402231 bind9
reassign 92147 bind9
reassign 52745 bind9
reassign 197670 bind9
reassign 481921 bind9
reassign 157245 bind9
reassign 248193 bind9
reassign 442910 bind9
reassign 81252 bind9
reassign 156349 bind9
reassign 94760 bind9
reassign 212625 bind9
reassign 260915 bind9
reassign 402232 bind9
reassign 86488 bind9
reassign 149342 bind9
reassign 282239 bind9
reassign 128129 bind9
reassign 62547 bind9
reassign 106789 bind9
reassign 46856 bind9
reassign 85081 bind9
reassign 242579 bind9
reassign 45470 bind9
reassign 50013 bind9
reassign 88326 bind9
reassign 95773 bind9
reassign 190577 bind9
reassign 53550 bind9
reassign 132492 bind9
reassign 24280 bind9
reassign 441290 bind9
reassign 88982 bind9
reassign 355787 bind9
reassign 199252 bind9
reassign 70079 bind9
reassign 213706 bind9
reassign 129710 bind9
reassign 170872 bind9
reassign 86013 bind9
reassign 280955 bind9
reassign 260759 bind9
reassign 99538 bind9
reassign 234167 bind9
reassign 132582 bind9
reassign 81190 bind9
reassign 352054 bind9
reassign 169124 bind9
reassign 132494 bind9
reassign 55032 bind9
reassign 85909 bind9
reassign 197669 bind9
thanks

The bind package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the bind9 package. Please
have a look at them, and close them if they don't apply to
bind9 anymore.

Don't hesitate to reply to this mail if you have any question.

--
Marco Rodrigues
http://Marco.Tondela.org

Send a report that this bug log contains spam.