【原创】bind中的named.conf 解析文件权限的探讨
声明我的环境,我的DNS服务器
是已经配置ok的,把我的配置贴出来
[root@ns named]# cat /var/named/chroot/etc/named.conf
[code]
options {
listen-on port 53 { 192.168.16.254; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { any; };
allow-query-cache { any; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com" IN {
type master;
file "test.com.zone";
allow-update { none; };
};
zone "16.168.192.in-addr.arpa" IN {
type master;
file "16.168.192.in-addr.arpa.zone";
allow-update { none; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
[root@ns named]# cat /var/named/chroot/var/named/test.com.zone
[code]$TTL 86400
@ IN SOA ns.test.com. root.test.com. (
2011011300 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.test.com.
ns IN A 192.168.16.254
@ IN MX 5 mail.test.com.
mail IN A 192.168.16.253
www IN A 192.168.16.252
[root@ns named]# cat /var/named/chroot/var/named/16.168.192.in-addr.arpa.zone
$TTL 86400@ IN SOA ns.test.com. root.test.com. (
2011011300 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.test.com.
254 IN PTR ns.test.com
@ IN MX 5 mail.test.com.
253 IN PTR mail.test.com.
252 IN PTR www.test.com.
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 !
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key
帅选信息
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
Named.conf权限root组root是640
[root@ns etc]# service named restart
停止 named:
[确定
启动 named:
[失败
[root@ns etc]#
重启named服务 无法成功哇,来看下日志提示的错误,
[root@ns etc]# tail /var/log/messages
Jan 16 01:41:49 ns named[10195]: loading configuration: permission denied
Jan 16 01:41:49 ns named[10195]: exiting (due to fatal error)
Jan 16 01:45:59 ns named[10328]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named -t /var/named/chroot
Jan 16 01:45:59 ns named[10328]: adjusted limit on open files from 1024 to 1048576
Jan 16 01:45:59 ns named[10328]: found 2 CPUs, using 2 worker threads
Jan 16 01:45:59 ns named[10328]: using up to 4096 sockets
Jan 16 01:45:59 ns named[10328]: loading configuration from '/etc/named.conf'
Jan 16 01:45:59 ns named[10328]: none:0: open: /etc/named.conf: permission denied
Jan 16 01:45:59 ns named[10328]: loading configuration: permission denied
Jan 16 01:45:59 ns named[10328]: exiting (due to fatal error)
日志提示permission denied 表示我们的权限不够
[root@ns etc]# cd ../var/named
[root@ns named]# ll
总计 88
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone
帅选信息,我们需要的是
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
这里的权限是640
用户是root
组是root
Ok
我们来改变一下
[root@ns named]# chmod 644 test.com.zone
[root@ns named]# chmod 644 16.168.192.in-addr.arpa.zone
[root@ns named]# ll
总计 88
-rw-r--r-- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r--r-- 1 root
root
367 01-14 22:17 test.com.zone
[root@ns named]#
现在test.com.zone和16.168.192.in-addr.arpa.zone的权限都是root root 644
再把nbamed.conf改为相同权限
[root@ns named]# cd ..
[root@ns var]# cd ../etc
[root@ns etc]# chmod 644 named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 !
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key
已经改变 root root 644 named.conf
[root@ns etc]# service named restart
停止 named:
[确定
启动 named:
[确定
[root@ns etc]#
Ok
现在的权限问题得以解决 我们来测试下哦
[root@ns etc]# nslookup
> mail.test.com
Server:
192.168.16.254
Address:
192.168.16.254#53
Name:
mail.test.com
Address: 192.168.16.253
> 192.168.16.253
Server:
192.168.16.254
Address:
192.168.16.254#53
253.16.168.192.in-addr.arpa
name = mail.test.com.
>
测试成功,说明权限不存在问题的哦
来想想这个问题 我们给了这几个文件是644 的权限 而且是root的
是不是不安全呢 默认的权限 我们看下吧
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
我们的文件初始都是很这个文件一样的权限 都是640的权限 为了安全 我们把用户改为named
好了 我们来测试下吧
[root@ns etc]# chgrp named named.conf
[root@ns etc]# chown named named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root
root
1548 01-15 04:16 ~
-rw-r--r-- 1 root
root
1891 01-14 01:31 @
-rw-r--r-- 1 root
root
1907 01-14 01:26 !
-rw-r--r-- 1 root
root
1559 01-14 01:33 1
-rw-r--r-- 1 root
root
405 01-13 19:10 localtime
-rw-r----- 1 root
named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 named named 1727 01-16 01:34 named.conf
-rw-r----- 1 root
named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root
named
113 01-13 21:45 rndc.key
[root@ns etc]#
[root@ns named]# chgrp named test.com.zone
[root@ns named]# chown named test.com.zone
[root@ns named]# chgrp named 16.168.192.in-addr.arpa.zone
[root@ns named]# chown named 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 test.com.zone
[root@ns named]# ll
总计 88
-rw-r----- 1 named named
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 named named
367 01-14 22:17 test.com.zone
[root@ns named]#
重新启动服务
[root@ns named]# service named restart
停止 named:
[确定
启动 named:
[确定
[root@ns named]#
好了 我们把named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件的权限都改为了
-rw-r----- 1 named named
那么我们的执行更安全了啊 而且所需的权限更低的
以上的测试表明:
named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件属主是root
执行权限需要是644
属主是named 执行权限是640
否则会服务会启动不了的
这个教程的名字是 bind中的named.conf及 解析文件权限的探讨,希望此视频和文字来抛砖引玉。 呵呵 把这个学习心得发到我的论坛去 ,希望大家多多支持哈 ……
