2009-09-06

BIND - name server error "the working directory is not writable"

Recently, there has been a few incident on vulnerabilities of DNS server being exploited. Fortunately, Bind have release patches soon enough for the rest of us to start covering up the loop holes.

After an upgrade or installations of ISC Bind DNS server 9.6 on a FreeBSD box, we will need to stop and start "named" service. As usual, running the below command will restart it :
/etc/rc.d/named stop
/etc/rc.d/named start

During the restart of the service, a few lines of text pops up saying that the permission of some directories in "/var/named" was altered. By default, the named files will need to be owner and group of "bind" in order for it to run properly. But the script in "/etc/rc.d/named" seems to change some directories ownership to "root" and group ownership to "wheel". This actually causes some errors reported in the log file :
Sep  3 02:44:26 nameserver named[9999]: the working directory is not writable

Naturally, we would issued the command :
chown -R bind:bind /var/name/etc

to fix the permission problem. But after another restart of "named" service using the command :
/etc/rc.d/named restart

the permission revert back to "root" and "wheel". This causes problem when the DNS server transfer zone files from the Master DNS server. The "named" service would not be able to write the latest zone info into the file in the directories "/var/named", then it would create some temporary files.

After some investigation, it seems like the ownership define in "/etc/mtree/BIND.chroot.dist" was set in this way. We will need to redefine the ownership of the directories so that it stop changing the directories ownership back to "root" whenever the "named" service is started so that "named" service owner, "bind" user, which runs the DNS server will be able to write the zones files in "/var/named".

The solution is :

Change the file "/etc/mtree/BIND.chroot.dist" from :
/set type=dir uname=root gname=wheel mode=0755
.
    dev             mode=0555
    ..
    etc
        namedb
            dynamic uname=bind
            ..
            master
            ..
            slave   uname=bind
            ..
        ..
    ..
(take note of the below lines with #<<<) to 
/set type=dir uname=bind gname=wheel mode=0755 #<<<
.
    dev             mode=0555
    ..
    etc
        namedb
            dynamic uname=bind
            ..
            master  uname=bind #<<<
            ..
            slave   uname=bind
            ..
            working uname=bind #<<<
            ..                 #<<<
        ..
    ..


since this is a read only file, use the command ":w!" to force vi to save then quit vi with ":q" command.

Remember to change the ownerships of the files and folders in :
/var/named
to
bind:bind
then restart the "named" service. This time, it won't revert the ownership back to "root:wheel"

Voilla !!!
Labels: , ,

1 comment:

Mechno said...

Hello peeps,
My buddy and I were looking at this issue too and found that this did the trick:
"/set type=dir uname=bind gname=bind mode=0755"
in the /etc/mtree/BIND.chroot.dist

If this is inadvisable in anyway please say so, but it has eliminated the cause of that message in logs.
-mechno

January 16, 2010 at 10:05 AM

Post a Comment

Subscribe to: Post Comments (Atom)