A-A+
配置bind小记_权限的困惑
在其他机器配置dns好像没有在ubuntu上面这么麻烦
配置好后出错
Aug 12 16:14:49 dnsbackup named[5816]: dumping master file: /etc/bind/tmp-T5nWPaldMq: open: permission denied Aug 12 16:14:49 dnsbackup named[5816]: transfer of 21pt.com/IN' from 10.1.1.1#53: failed while receiving responses: permission denied Aug 12 16:15:01 dnsbackup named[5816]: dumping master file: /etc/bind/tmp-OtIXHeD7KD: open: permission denied Aug 12 16:15:01 dnsbackup named[5816]: transfer of 21nw.com/IN' from 10.1.1.1#53: failed while receiving responses: permission denied Aug 12 16:15:16 dnsbackup named[5816]: dumping master file: /etc/bind/tmp-fTi3qauwBM: open: permission denied
观察感觉是超级文件标记s的问题 drwxr-sr-x 2 bind bind 4096 2008-08-13 06:46 bind
改成 drwxr-xr-x 2 bind bind 4096 2008-08-13 07:08 bind 又出现新的错误
Aug 13 06:45:44 dnsbackup kernel: [ 5232.430097] audit(1218581144.133:28): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/var/run/bind/tmp-PSBH9ZzQfP" pid=11401 profile="/usr/sbin/named" namespace="default" Aug 13 06:45:48 dnsbackup kernel: [ 5236.421918] audit(1218581148.133:29): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/var/run/bind/tmp-pdY35YPCRQ" pid=11399 profile="/usr/sbin/named" namespace="default" Aug 13 06:46:39 dnsbackup kernel: [ 5287.949290] audit(1218581199.792:30): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/tmp-kTjw6bDlFg" pid=11445 profile="/usr/sbin/named" namespace="default" Aug 13 06:46:40 dnsbackup kernel: [ 5288.449966] audit(1218581200.296:31): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/tmp-XiqhIe2izy" pid=11448 profile="/usr/sbin/named" namespace="default" Aug 13 06:46:40 dnsbackup kernel: [ 5288.467676] audit(1218581200.311:32): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/tmp-vHqJNnTTuN" pid=11445 profile="/usr/sbin/named" namespace="default" Aug 13 06:47:26 dnsbackup kernel: [ 5334.833849] audit(1218581246.794:33): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/tmp-5arShBMhT7" pid=11446 profile="/usr/sbin/named" namespace="default" Aug 13 06:47:27 dnsbackup kernel: [ 5335.849582] audit(1218581247.813:34): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/tmp-8YHohOIn8q" pid=11446 profile="/usr/sbin/named" namespace="default" Aug 13 06:47:38 dnsbackup kernel: [ 5346.806773] audit(1218581258.791:35): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/tmp-NwdcTD46WC" pid=11445 profile="/usr/sbin/named" namespace="default"
再google了一把原来问题在/etc/apparmor.d/usr.sbin.named
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/cache/bind/** rw,
/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/run/bind/run/named.pid w,
# support for resolvconf
/var/run/bind/named.options r,
}
两条路,一个修改/etc/bind/** r,为/etc/bind/** rw, 感觉有些破坏 另一条路,把需要写的域名文件的改到/var/lib/bind/** rw, 除了找起来比较麻烦,其他还好,常用 find / |grep db.21pt.com吧 
又出现新问题 查询的log没有被记载
$ rndc status number of zones: 17 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running
找到了藏在var里面!!!
tag:幸福是什么?幸福就是在保证不跑肚的前提下想吃什么就吃什么, 在保证不进监狱的的前提下想干什么就干什么....
