IT你好技术论坛

标题: 【原创】bind中的named.conf 解析文件权限的探讨 [打印本页]

作者: xiaowuhello 时间: 2011-1-16 02:17 标题: 【原创】bind中的named.conf 解析文件权限的探讨

【原创】bind中的named.conf 解析文件权限的探讨
声明我的环境，我的DNS服务器

是已经配置ok的，把我的配置贴出来
[root@ns named]# cat /var/named/chroot/etc/named.conf
[code]
options {
listen-on port 53 { 192.168.16.254; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { any; };
allow-query-cache { any; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com" IN {
type master;
file "test.com.zone";
allow-update { none; };
};
zone "16.168.192.in-addr.arpa" IN {
type master;
file "16.168.192.in-addr.arpa.zone";
allow-update { none; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

复制代码

[root@ns named]# cat /var/named/chroot/var/named/test.com.zone

[code]$TTL 86400
@ IN SOA ns.test.com. root.test.com. (
2011011300 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.test.com.
ns IN A 192.168.16.254
@ IN MX 5 mail.test.com.
mail IN A 192.168.16.253
www IN A 192.168.16.252

复制代码

[root@ns named]# cat /var/named/chroot/var/named/16.168.192.in-addr.arpa.zone

$TTL 86400
@ IN SOA ns.test.com. root.test.com. (
2011011300 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.test.com.
254 IN PTR ns.test.com
@ IN MX 5 mail.test.com.
253 IN PTR mail.test.com.
252 IN PTR www.test.com.

复制代码

[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 ！
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key

帅选信息
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
Named.conf权限root组root是640
[root@ns etc]# service named restart
停止 named：
[确定]
启动 named：
[失败]
[root@ns etc]#
重启named服务无法成功哇，来看下日志提示的错误，
[root@ns etc]# tail /var/log/messages
Jan 16 01:41:49 ns named[10195]: loading configuration: permission denied
Jan 16 01:41:49 ns named[10195]: exiting (due to fatal error)
Jan 16 01:45:59 ns named[10328]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named -t /var/named/chroot
Jan 16 01:45:59 ns named[10328]: adjusted limit on open files from 1024 to 1048576
Jan 16 01:45:59 ns named[10328]: found 2 CPUs, using 2 worker threads
Jan 16 01:45:59 ns named[10328]: using up to 4096 sockets
Jan 16 01:45:59 ns named[10328]: loading configuration from '/etc/named.conf'
Jan 16 01:45:59 ns named[10328]: none:0: open: /etc/named.conf: permission denied
Jan 16 01:45:59 ns named[10328]: loading configuration: permission denied
Jan 16 01:45:59 ns named[10328]: exiting (due to fatal error)

日志提示permission denied 表示我们的权限不够

[root@ns etc]# cd ../var/named
[root@ns named]# ll
总计 88
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone

帅选信息，我们需要的是
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
这里的权限是640
用户是root
组是root

Ok
我们来改变一下

[root@ns named]# chmod 644 test.com.zone

[root@ns named]# chmod 644 16.168.192.in-addr.arpa.zone
[root@ns named]# ll
总计 88
-rw-r--r-- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r--r-- 1 root
root
367 01-14 22:17 test.com.zone
[root@ns named]#

现在test.com.zone和16.168.192.in-addr.arpa.zone的权限都是root root 644
再把nbamed.conf改为相同权限

[root@ns named]# cd ..
[root@ns var]# cd ../etc
[root@ns etc]# chmod 644 named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 ！
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key
已经改变 root root 644 named.conf

[root@ns etc]# service named restart
停止 named：
[确定]
启动 named：
[确定]
[root@ns etc]#

Ok
现在的权限问题得以解决我们来测试下哦

[root@ns etc]# nslookup
> mail.test.com
Server:
192.168.16.254
Address:
192.168.16.254#53

Name:
mail.test.com
Address: 192.168.16.253
> 192.168.16.253
Server:
192.168.16.254
Address:
192.168.16.254#53

253.16.168.192.in-addr.arpa
name = mail.test.com.
>
测试成功，说明权限不存在问题的哦

来想想这个问题我们给了这几个文件是644 的权限而且是root的
是不是不安全呢默认的权限我们看下吧

-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf

我们的文件初始都是很这个文件一样的权限都是640的权限为了安全我们把用户改为named
好了我们来测试下吧

[root@ns etc]# chgrp named named.conf
[root@ns etc]# chown named named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root
root
1548 01-15 04:16 ~
-rw-r--r-- 1 root
root
1891 01-14 01:31 @
-rw-r--r-- 1 root
root
1907 01-14 01:26 ！
-rw-r--r-- 1 root
root
1559 01-14 01:33 1
-rw-r--r-- 1 root
root
405 01-13 19:10 localtime
-rw-r----- 1 root
named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 named named 1727 01-16 01:34 named.conf
-rw-r----- 1 root
named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root
named
113 01-13 21:45 rndc.key
[root@ns etc]#

[root@ns named]# chgrp named test.com.zone
[root@ns named]# chown named test.com.zone
[root@ns named]# chgrp named 16.168.192.in-addr.arpa.zone
[root@ns named]# chown named 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 test.com.zone
[root@ns named]# ll
总计 88
-rw-r----- 1 named named
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 named named
367 01-14 22:17 test.com.zone
[root@ns named]#

重新启动服务

[root@ns named]# service named restart
停止 named：
[确定]
启动 named：
[确定]
[root@ns named]#
好了我们把named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件的权限都改为了
-rw-r----- 1 named named
那么我们的执行更安全了啊而且所需的权限更低的

以上的测试表明：
named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件属主是root
执行权限需要是644
属主是named 执行权限是640
否则会服务会启动不了的

这个教程的名字是 bind中的named.conf及解析文件权限的探讨，希望此视频和文字来抛砖引玉。呵呵把这个学习心得发到我的论坛去，希望大家多多支持哈 ……

欢迎光临 IT你好技术论坛 (http://it.o-o.zone/)