【原创】bind中的named.conf 解析文件权限的探讨 - 洞洞！

【原创】bind中的named.conf 解析文件权限的探讨声明我的环境，我的DNS服务器

是已经配置ok的，把我的配置贴出来 [root@ns named]# cat /var/named/chroot/etc/named.conf [code] options { listen-on port 53 { 192.168.16.254; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Those options should be used carefully because they disable port // randomization // query-source port 53; // query-source-v6 port 53; allow-query { any; }; allow-query-cache { any; }; }; zone "." IN { type hint; file "named.ca"; }; zone "test.com" IN { type master; file "test.com.zone"; allow-update { none; }; }; zone "16.168.192.in-addr.arpa" IN { type master; file "16.168.192.in-addr.arpa.zone"; allow-update { none; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; };

[root@ns named]# cat /var/named/chroot/var/named/test.com.zone

[code]$TTL 86400 @ IN SOA ns.test.com. root.test.com. ( 2011011300 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum @ IN NS ns.test.com. ns IN A 192.168.16.254 @ IN MX 5 mail.test.com. mail IN A 192.168.16.253 www IN A 192.168.16.252

[root@ns named]# cat /var/named/chroot/var/named/16.168.192.in-addr.arpa.zone

$TTL 86400 @ IN SOA ns.test.com. root.test.com. ( 2011011300 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum @ IN NS ns.test.com. 254 IN PTR ns.test.com @ IN MX 5 mail.test.com. 253 IN PTR mail.test.com. 252 IN PTR www.test.com.

[root@ns etc]# ll 总计 72 -rw-r--r-- 1 root root 1548 01-15 04:16 ~ -rw-r--r-- 1 root root 1891 01-14 01:31 @ -rw-r--r-- 1 root root 1907 01-14 01:26 ！ -rw-r--r-- 1 root root 1559 01-14 01:33 1 -rw-r--r-- 1 root root 405 01-13 19:10 localtime -rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf -rw-r----- 1 root root 1727 01-16 01:34 named.conf -rw-r----- 1 root named 955 2010-01-18 named.rfc1912.zones -rw-r----- 1 root named 113 01-13 21:45 rndc.key 帅选信息 -rw-r----- 1 root root 1727 01-16 01:34 named.conf Named.conf权限root组root是640 [root@ns etc]# service named restart 停止 named： [确定启动 named： [失败 [root@ns etc]# 重启named服务无法成功哇，来看下日志提示的错误， [root@ns etc]# tail /var/log/messages Jan 16 01:41:49 ns named[10195]: loading configuration: permission denied Jan 16 01:41:49 ns named[10195]: exiting (due to fatal error) Jan 16 01:45:59 ns named[10328]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named -t /var/named/chroot Jan 16 01:45:59 ns named[10328]: adjusted limit on open files from 1024 to 1048576 Jan 16 01:45:59 ns named[10328]: found 2 CPUs, using 2 worker threads Jan 16 01:45:59 ns named[10328]: using up to 4096 sockets Jan 16 01:45:59 ns named[10328]: loading configuration from '/etc/named.conf' Jan 16 01:45:59 ns named[10328]: none:0: open: /etc/named.conf: permission denied Jan 16 01:45:59 ns named[10328]: loading configuration: permission denied Jan 16 01:45:59 ns named[10328]: exiting (due to fatal error) 日志提示permission denied 表示我们的权限不够 [root@ns etc]# cd ../var/named [root@ns named]# ll 总计 88 -rw-r----- 1 root root 369 01-14 22:18 16.168.192.in-addr.arpa.zone drwxrwx--- 2 named named 4096 01-13 22:41 data -rw-r----- 1 root named 198 2010-01-18 localdomain.zone -rw-r----- 1 root named 195 2010-01-18 localhost.zone -rw-r----- 1 root named 427 2010-01-18 named.broadcast -rw-r----- 1 root named 1892 2010-01-18 named.ca -rw-r----- 1 root named 424 2010-01-18 named.ip6.local -rw-r----- 1 root named 426 2010-01-18 named.local -rw-r----- 1 root named 427 2010-01-18 named.zero drwxrwx--- 2 named named 4096 2004-07-27 slaves -rw-r----- 1 root root 367 01-14 22:17 test.com.zone 帅选信息，我们需要的是 -rw-r----- 1 root root 367 01-14 22:17 test.com.zone -rw-r----- 1 root root 369 01-14 22:18 16.168.192.in-addr.arpa.zone 这里的权限是640 用户是root 组是root Ok 我们来改变一下 [root@ns named]# chmod 644 test.com.zone [root@ns named]# chmod 644 16.168.192.in-addr.arpa.zone [root@ns named]# ll 总计 88 -rw-r--r-- 1 root root 369 01-14 22:18 16.168.192.in-addr.arpa.zone drwxrwx--- 2 named named 4096 01-13 22:41 data -rw-r----- 1 root named 198 2010-01-18 localdomain.zone -rw-r----- 1 root named 195 2010-01-18 localhost.zone -rw-r----- 1 root named 427 2010-01-18 named.broadcast -rw-r----- 1 root named 1892 2010-01-18 named.ca -rw-r----- 1 root named 424 2010-01-18 named.ip6.local -rw-r----- 1 root named 426 2010-01-18 named.local -rw-r----- 1 root named 427 2010-01-18 named.zero drwxrwx--- 2 named named 4096 2004-07-27 slaves -rw-r--r-- 1 root root 367 01-14 22:17 test.com.zone [root@ns named]# 现在test.com.zone和16.168.192.in-addr.arpa.zone的权限都是root root 644 再把nbamed.conf改为相同权限 [root@ns named]# cd .. [root@ns var]# cd ../etc [root@ns etc]# chmod 644 named.conf [root@ns etc]# ll 总计 72 -rw-r--r-- 1 root root 1548 01-15 04:16 ~ -rw-r--r-- 1 root root 1891 01-14 01:31 @ -rw-r--r-- 1 root root 1907 01-14 01:26 ！ -rw-r--r-- 1 root root 1559 01-14 01:33 1 -rw-r--r-- 1 root root 405 01-13 19:10 localtime -rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf -rw-r--r-- 1 root root 1727 01-16 01:34 named.conf -rw-r----- 1 root named 955 2010-01-18 named.rfc1912.zones -rw-r----- 1 root named 113 01-13 21:45 rndc.key 已经改变 root root 644 named.conf [root@ns etc]# service named restart 停止 named： [确定启动 named： [确定 [root@ns etc]# Ok 现在的权限问题得以解决我们来测试下哦 [root@ns etc]# nslookup > mail.test.com Server: 192.168.16.254 Address: 192.168.16.254#53 Name: mail.test.com Address: 192.168.16.253 > 192.168.16.253 Server: 192.168.16.254 Address: 192.168.16.254#53 253.16.168.192.in-addr.arpa name = mail.test.com. > 测试成功，说明权限不存在问题的哦来想想这个问题我们给了这几个文件是644 的权限而且是root的是不是不安全呢默认的权限我们看下吧 -rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf 我们的文件初始都是很这个文件一样的权限都是640的权限为了安全我们把用户改为named 好了我们来测试下吧 [root@ns etc]# chgrp named named.conf [root@ns etc]# chown named named.conf [root@ns etc]# ll 总计 72 -rw-r--r-- 1 root root 1548 01-15 04:16 ~ -rw-r--r-- 1 root root 1891 01-14 01:31 @ -rw-r--r-- 1 root root 1907 01-14 01:26 ！ -rw-r--r-- 1 root root 1559 01-14 01:33 1 -rw-r--r-- 1 root root 405 01-13 19:10 localtime -rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf -rw-r--r-- 1 named named 1727 01-16 01:34 named.conf -rw-r----- 1 root named 955 2010-01-18 named.rfc1912.zones -rw-r----- 1 root named 113 01-13 21:45 rndc.key [root@ns etc]# [root@ns named]# chgrp named test.com.zone [root@ns named]# chown named test.com.zone [root@ns named]# chgrp named 16.168.192.in-addr.arpa.zone [root@ns named]# chown named 16.168.192.in-addr.arpa.zone [root@ns named]# chmod 640 16.168.192.in-addr.arpa.zone [root@ns named]# chmod 640 test.com.zone [root@ns named]# ll 总计 88 -rw-r----- 1 named named 369 01-14 22:18 16.168.192.in-addr.arpa.zone drwxrwx--- 2 named named 4096 01-13 22:41 data -rw-r----- 1 root named 198 2010-01-18 localdomain.zone -rw-r----- 1 root named 195 2010-01-18 localhost.zone -rw-r----- 1 root named 427 2010-01-18 named.broadcast -rw-r----- 1 root named 1892 2010-01-18 named.ca -rw-r----- 1 root named 424 2010-01-18 named.ip6.local -rw-r----- 1 root named 426 2010-01-18 named.local -rw-r----- 1 root named 427 2010-01-18 named.zero drwxrwx--- 2 named named 4096 2004-07-27 slaves -rw-r----- 1 named named 367 01-14 22:17 test.com.zone [root@ns named]# 重新启动服务 [root@ns named]# service named restart 停止 named： [确定启动 named： [确定 [root@ns named]# 好了我们把named.conf test.com.zone 16.168.192.in-addr.arpa.zone三个文件的权限都改为了 -rw-r----- 1 named named 那么我们的执行更安全了啊而且所需的权限更低的以上的测试表明： named.conf test.com.zone 16.168.192.in-addr.arpa.zone三个文件属主是root 执行权限需要是644 属主是named 执行权限是640 否则会服务会启动不了的这个教程的名字是 bind中的named.conf及解析文件权限的探讨，希望此视频和文字来抛砖引玉。呵呵把这个学习心得发到我的论坛去，希望大家多多支持哈 ……

洞洞！ | 原喵空间

正文

回复