Why is named running as root by default?

[Wouter]

Can someone tell me why named is running as root by default on DA-boxes? I have changed this on all our DA-boxes so that it runs under user bind. All seems to work OK. I really don't understand why it's not by default running under bind?!

 

[nobaloney]

I believe bind (the Berkely Internet Name Daemon) is set up by your linux/unix distribution. You should ask your distribution vendor.

Jeff

 

[Wouter]

Nope.

Only the user bind is added to the system by default.
Bind is not installed! DA install it.

I have installed it from ports on my secondary dns server, then it's running by default under user bind. So this seems to be work from the DA-team.

Can some of you check also if it's running as root?

# ps waux | grep named

 

[skruf]

Hey,

Here's one of our boxes:

# ps waux | grep named
named 2127 0.0 0.1 30040 1224 ? S Feb02 0:20 /usr/sbin/named -u named
root 3592 0.0 0.0 3568 620 pts/0 S 13:10 0:00 grep named

David

 

[Chrysalis]

its how its executed what arguments it uses, these can be set in rc.conf on a freebsd system. Not sure how its done for other operating systems.

 

[Wouter]

its how its executed what arguments it uses, these can be set in rc.conf on a freebsd system. Not sure how its done for other operating systems.

I know how I can switch to user "bind".
The point is that on all FreeBSD-boxes I have installed (alot!) named is running by default as root....

That is something the DA-team should fix. I know allot of people who are not checking this. If there is a serious bug again in Named/Bind this could be very dangerous....

 

[Chrysalis]

I know how I can switch to user "bind".
The point is that on all FreeBSD-boxes I have installed (alot!) named is running by default as root....

That is something the DA-team should fix. I know allot of people who are not checking this. If there is a serious bug again in Named/Bind this could be very dangerous....

agreed.

 

[nobaloney]

I discussed this issue with the DA folk a week or so ago.

If your distribution doesn't have BIND installed when you install DA, then DA will install it according to your OS's specifications.

So you'll get what your OS sets up by default.

Jeff

 

[Wouter]

I discussed this issue with the DA folk a week or so ago.

If your distribution doesn't have BIND installed when you install DA, then DA will install it according to your OS's specifications.

So you'll get what your OS sets up by default.

Jeff

Strange, when I install Bind/Named with sysinstall in FreeBSD on a clean server it's running as bind by default?!

And so what if it is running as root by FreeBSD-defaults (but i'm sure it's not!). Then still it's a little thing for the DA-team to fix.

 

[Chrysalis]

I discussed this issue with the DA folk a week or so ago.

If your distribution doesn't have BIND installed when you install DA, then DA will install it according to your OS's specifications.

So you'll get what your OS sets up by default.

Jeff

This is incorrect, I will fire an email to john on how he can fix it.

On FreeBSD the bind user and group is created by default on a base system, bind is also installed. The rc.d script controls what user named runs as, the fix is just a simple change to the directadmin rc.d script.


start() {
echo -n "Starting Named: ";
daemon /usr/sbin/named


in /usr/local/etc/rc.d/named

changing to


start() {
echo -n "Starting Named: ";
daemon /usr/sbin/named -u bind


will fix it line 16.

 

[Wouter]

Don't forget to chown the zonefiles to user bind

 

[nobaloney]

Is it possibly a DA-on-FreeBSD issue? I don't have the problem on our CentOS/RHEL systems.

Jeff

 

[Chrysalis]

Don't forget to chown the zonefiles to user bind

yes thanks for reminding me, I have a friend's box which was running named using DA's rc.d script, I applied my fix and restarted named. What I usually do on other boxes is copy the rc.d script that comes with fbsd and overwrite DA's rc.d script so it then uses rc.conf settings.


cd /etc/namedb
chown bind *
chown bind .


if you running named jailed then the dir will likely be /var/named/etc/namedb.

I see they fixed the ndc problem tho which is good