【原创】bind中的named.conf 解析文件权限的探讨
声明我的环境，我的DNS服务器

1. 
   
2. 是已经配置ok的，把我的配置贴出来
   
3. [root@ns named]# cat /var/named/chroot/etc/named.conf
   
4. [code]
   
5. options {
   
6. listen-on port 53 { 192.168.16.254; };
   
7. listen-on-v6 port 53 { ::1; };
   
8. directory "/var/named";
   
9. dump-file "/var/named/data/cache_dump.db";
   
10. statistics-file "/var/named/data/named_stats.txt";
    
11. memstatistics-file "/var/named/data/named_mem_stats.txt";
    
12. 
    
13. // Those options should be used carefully because they disable port
    
14. // randomization
    
15. // query-source port 53;
    
16. // query-source-v6 port 53;
    
17. 
    
18. allow-query { any; };
    
19. allow-query-cache { any; };
    
20. };
    
21. 
    
22. zone "." IN {
    
23. type hint;
    
24. file "named.ca";
    
25. };
    
26. 
    
27. zone "test.com" IN {
    
28. type master;
    
29. file "test.com.zone";
    
30. allow-update { none; };
    
31. };
    
32. 
    
33. zone "16.168.192.in-addr.arpa" IN {
    
34. type master;
    
35. file "16.168.192.in-addr.arpa.zone";
    
36. allow-update { none; };
    
37. };
    
38. logging {
    
39. channel default_debug {
    
40. file "data/named.run";
    
41. severity dynamic;
    
42. };
    
43. };

复制代码

[root@ns named]# cat /var/named/chroot/var/named/test.com.zone

1. [code]$TTL    86400
   
2. @               IN SOA  ns.test.com.   root.test.com. (
   
3.                                         2011011300      ; serial (d. adams)
   
4.                                         3H              ; refresh
   
5.                                         15M             ; retry
   
6.                                         1W              ; expiry
   
7.                                         1D )            ; minimum
   
8. @               IN NS           ns.test.com.
   
9. ns              IN A            192.168.16.254
   
10. @               IN MX   5       mail.test.com.
    
11. mail            IN A            192.168.16.253
    
12. www             IN A            192.168.16.252

复制代码

[root@ns named]# cat /var/named/chroot/var/named/16.168.192.in-addr.arpa.zone

1. $TTL    86400
   
2. @               IN SOA  ns.test.com.   root.test.com. (
   
3.                                         2011011300      ; serial (d. adams)
   
4.                                         3H              ; refresh
   
5.                                         15M             ; retry
   
6.                                         1W              ; expiry
   
7.                                         1D )            ; minimum
   
8. @               IN NS           ns.test.com.
   
9. 254             IN PTR          ns.test.com
   
10. @               IN MX    5       mail.test.com.
    
11. 253             IN PTR           mail.test.com.
    
12. 252             IN PTR           www.test.com.

复制代码

[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 ！
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key

帅选信息
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
Named.conf权限root组root是640
[root@ns etc]# service named restart
停止 named：
[确定]
启动 named：
[失败]
[root@ns etc]#
重启named服务 无法成功哇，来看下日志提示的错误，
[root@ns etc]# tail /var/log/messages
Jan 16 01:41:49 ns named[10195]: loading configuration: permission denied
Jan 16 01:41:49 ns named[10195]: exiting (due to fatal error)
Jan 16 01:45:59 ns named[10328]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named -t /var/named/chroot
Jan 16 01:45:59 ns named[10328]: adjusted limit on open files from 1024 to 1048576
Jan 16 01:45:59 ns named[10328]: found 2 CPUs, using 2 worker threads
Jan 16 01:45:59 ns named[10328]: using up to 4096 sockets
Jan 16 01:45:59 ns named[10328]: loading configuration from '/etc/named.conf'
Jan 16 01:45:59 ns named[10328]: none:0: open: /etc/named.conf: permission denied
Jan 16 01:45:59 ns named[10328]: loading configuration: permission denied
Jan 16 01:45:59 ns named[10328]: exiting (due to fatal error)

日志提示permission denied 表示我们的权限不够

[root@ns etc]# cd ../var/named
[root@ns named]# ll
总计 88
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone

帅选信息，我们需要的是
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
这里的权限是640
用户是root
组是root

Ok
我们来改变一下



[root@ns named]# chmod 644 test.com.zone

[root@ns named]# chmod 644 16.168.192.in-addr.arpa.zone
[root@ns named]# ll
总计 88
-rw-r--r-- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r--r-- 1 root
root
367 01-14 22:17 test.com.zone
[root@ns named]#

现在test.com.zone和16.168.192.in-addr.arpa.zone的权限都是root root 644
再把nbamed.conf改为相同权限


[root@ns named]# cd ..
[root@ns var]# cd ../etc
[root@ns etc]# chmod 644 named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 ！
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key
已经改变 root root 644 named.conf

[root@ns etc]# service named restart
停止 named：
[确定]
启动 named：
[确定]
[root@ns etc]#

Ok
现在的权限问题得以解决 我们来测试下哦

[root@ns etc]# nslookup
> mail.test.com
Server:
192.168.16.254
Address:
192.168.16.254#53

Name:
mail.test.com
Address: 192.168.16.253
> 192.168.16.253
Server:
192.168.16.254
Address:
192.168.16.254#53

253.16.168.192.in-addr.arpa
name = mail.test.com.
>
测试成功，说明权限不存在问题的哦

来想想这个问题  我们给了这几个文件是644 的权限 而且是root的
是不是不安全呢  默认的权限 我们看下吧


-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf

我们的文件初始都是很这个文件一样的权限   都是640的权限 为了安全 我们把用户改为named
好了 我们来测试下吧


[root@ns etc]# chgrp named named.conf
[root@ns etc]# chown named named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root
root
1548 01-15 04:16 ~
-rw-r--r-- 1 root
root
1891 01-14 01:31 @
-rw-r--r-- 1 root
root
1907 01-14 01:26 ！
-rw-r--r-- 1 root
root
1559 01-14 01:33 1
-rw-r--r-- 1 root
root
405 01-13 19:10 localtime
-rw-r----- 1 root
named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 named named 1727 01-16 01:34 named.conf
-rw-r----- 1 root
named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root
named
113 01-13 21:45 rndc.key
[root@ns etc]#


[root@ns named]# chgrp named test.com.zone
[root@ns named]# chown named test.com.zone
[root@ns named]# chgrp named 16.168.192.in-addr.arpa.zone
[root@ns named]# chown named 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 test.com.zone
[root@ns named]# ll
总计 88
-rw-r----- 1 named named
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 named named
367 01-14 22:17 test.com.zone
[root@ns named]#


重新启动服务

[root@ns named]# service named restart
停止 named：
[确定]
启动 named：
[确定]
[root@ns named]#
好了 我们把named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件的权限都改为了
-rw-r----- 1 named named
那么我们的执行更安全了啊 而且所需的权限更低的

以上的测试表明：
named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件属主是root
执行权限需要是644
属主是named 执行权限是640
否则会服务会启动不了的

这个教程的名字是 bind中的named.conf及 解析文件权限的探讨，希望此视频和文字来抛砖引玉。 呵呵 把这个学习心得发到我的论坛去 ，希望大家多多支持哈 ……

【原创】bind中的named.conf 解析文件权限的探讨
声明我的环境，我的DNS服务器

1. 
   
2. 是已经配置ok的，把我的配置贴出来
   
3. [root@ns named]# cat /var/named/chroot/etc/named.conf
   
4. [code]
   
5. options {
   
6. listen-on port 53 { 192.168.16.254; };
   
7. listen-on-v6 port 53 { ::1; };
   
8. directory "/var/named";
   
9. dump-file "/var/named/data/cache_dump.db";
   
10. statistics-file "/var/named/data/named_stats.txt";
    
11. memstatistics-file "/var/named/data/named_mem_stats.txt";
    
12. 
    
13. // Those options should be used carefully because they disable port
    
14. // randomization
    
15. // query-source port 53;
    
16. // query-source-v6 port 53;
    
17. 
    
18. allow-query { any; };
    
19. allow-query-cache { any; };
    
20. };
    
21. 
    
22. zone "." IN {
    
23. type hint;
    
24. file "named.ca";
    
25. };
    
26. 
    
27. zone "test.com" IN {
    
28. type master;
    
29. file "test.com.zone";
    
30. allow-update { none; };
    
31. };
    
32. 
    
33. zone "16.168.192.in-addr.arpa" IN {
    
34. type master;
    
35. file "16.168.192.in-addr.arpa.zone";
    
36. allow-update { none; };
    
37. };
    
38. logging {
    
39. channel default_debug {
    
40. file "data/named.run";
    
41. severity dynamic;
    
42. };
    
43. };

复制代码

[root@ns named]# cat /var/named/chroot/var/named/test.com.zone

1. [code]$TTL    86400
   
2. @               IN SOA  ns.test.com.   root.test.com. (
   
3.                                         2011011300      ; serial (d. adams)
   
4.                                         3H              ; refresh
   
5.                                         15M             ; retry
   
6.                                         1W              ; expiry
   
7.                                         1D )            ; minimum
   
8. @               IN NS           ns.test.com.
   
9. ns              IN A            192.168.16.254
   
10. @               IN MX   5       mail.test.com.
    
11. mail            IN A            192.168.16.253
    
12. www             IN A            192.168.16.252

复制代码

[root@ns named]# cat /var/named/chroot/var/named/16.168.192.in-addr.arpa.zone

1. $TTL    86400
   
2. @               IN SOA  ns.test.com.   root.test.com. (
   
3.                                         2011011300      ; serial (d. adams)
   
4.                                         3H              ; refresh
   
5.                                         15M             ; retry
   
6.                                         1W              ; expiry
   
7.                                         1D )            ; minimum
   
8. @               IN NS           ns.test.com.
   
9. 254             IN PTR          ns.test.com
   
10. @               IN MX    5       mail.test.com.
    
11. 253             IN PTR           mail.test.com.
    
12. 252             IN PTR           www.test.com.

复制代码

[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 ！
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key

帅选信息
-rw-r----- 1 root root
1727 01-16 01:34 named.conf
Named.conf权限root组root是640
[root@ns etc]# service named restart
停止 named：
[确定]
启动 named：
[失败]
[root@ns etc]#
重启named服务 无法成功哇，来看下日志提示的错误，
[root@ns etc]# tail /var/log/messages
Jan 16 01:41:49 ns named[10195]: loading configuration: permission denied
Jan 16 01:41:49 ns named[10195]: exiting (due to fatal error)
Jan 16 01:45:59 ns named[10328]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named -t /var/named/chroot
Jan 16 01:45:59 ns named[10328]: adjusted limit on open files from 1024 to 1048576
Jan 16 01:45:59 ns named[10328]: found 2 CPUs, using 2 worker threads
Jan 16 01:45:59 ns named[10328]: using up to 4096 sockets
Jan 16 01:45:59 ns named[10328]: loading configuration from '/etc/named.conf'
Jan 16 01:45:59 ns named[10328]: none:0: open: /etc/named.conf: permission denied
Jan 16 01:45:59 ns named[10328]: loading configuration: permission denied
Jan 16 01:45:59 ns named[10328]: exiting (due to fatal error)

日志提示permission denied 表示我们的权限不够

[root@ns etc]# cd ../var/named
[root@ns named]# ll
总计 88
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone

帅选信息，我们需要的是
-rw-r----- 1 root
root
367 01-14 22:17 test.com.zone
-rw-r----- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
这里的权限是640
用户是root
组是root

Ok
我们来改变一下



[root@ns named]# chmod 644 test.com.zone

[root@ns named]# chmod 644 16.168.192.in-addr.arpa.zone
[root@ns named]# ll
总计 88
-rw-r--r-- 1 root
root
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r--r-- 1 root
root
367 01-14 22:17 test.com.zone
[root@ns named]#

现在test.com.zone和16.168.192.in-addr.arpa.zone的权限都是root root 644
再把nbamed.conf改为相同权限


[root@ns named]# cd ..
[root@ns var]# cd ../etc
[root@ns etc]# chmod 644 named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root root
1548 01-15 04:16 ~
-rw-r--r-- 1 root root
1891 01-14 01:31 @
-rw-r--r-- 1 root root
1907 01-14 01:26 ！
-rw-r--r-- 1 root root
1559 01-14 01:33 1
-rw-r--r-- 1 root root
405 01-13 19:10 localtime
-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 root root
1727 01-16 01:34 named.conf
-rw-r----- 1 root named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root named
113 01-13 21:45 rndc.key
已经改变 root root 644 named.conf

[root@ns etc]# service named restart
停止 named：
[确定]
启动 named：
[确定]
[root@ns etc]#

Ok
现在的权限问题得以解决 我们来测试下哦

[root@ns etc]# nslookup
> mail.test.com
Server:
192.168.16.254
Address:
192.168.16.254#53

Name:
mail.test.com
Address: 192.168.16.253
> 192.168.16.253
Server:
192.168.16.254
Address:
192.168.16.254#53

253.16.168.192.in-addr.arpa
name = mail.test.com.
>
测试成功，说明权限不存在问题的哦

来想想这个问题  我们给了这几个文件是644 的权限 而且是root的
是不是不安全呢  默认的权限 我们看下吧


-rw-r----- 1 root named 1230 2010-01-18 named.caching-nameserver.conf

我们的文件初始都是很这个文件一样的权限   都是640的权限 为了安全 我们把用户改为named
好了 我们来测试下吧


[root@ns etc]# chgrp named named.conf
[root@ns etc]# chown named named.conf
[root@ns etc]# ll
总计 72
-rw-r--r-- 1 root
root
1548 01-15 04:16 ~
-rw-r--r-- 1 root
root
1891 01-14 01:31 @
-rw-r--r-- 1 root
root
1907 01-14 01:26 ！
-rw-r--r-- 1 root
root
1559 01-14 01:33 1
-rw-r--r-- 1 root
root
405 01-13 19:10 localtime
-rw-r----- 1 root
named 1230 2010-01-18 named.caching-nameserver.conf
-rw-r--r-- 1 named named 1727 01-16 01:34 named.conf
-rw-r----- 1 root
named
955 2010-01-18 named.rfc1912.zones
-rw-r----- 1 root
named
113 01-13 21:45 rndc.key
[root@ns etc]#


[root@ns named]# chgrp named test.com.zone
[root@ns named]# chown named test.com.zone
[root@ns named]# chgrp named 16.168.192.in-addr.arpa.zone
[root@ns named]# chown named 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 16.168.192.in-addr.arpa.zone
[root@ns named]# chmod 640 test.com.zone
[root@ns named]# ll
总计 88
-rw-r----- 1 named named
369 01-14 22:18 16.168.192.in-addr.arpa.zone
drwxrwx--- 2 named named 4096 01-13 22:41 data
-rw-r----- 1 root
named
198 2010-01-18 localdomain.zone
-rw-r----- 1 root
named
195 2010-01-18 localhost.zone
-rw-r----- 1 root
named
427 2010-01-18 named.broadcast
-rw-r----- 1 root
named 1892 2010-01-18 named.ca
-rw-r----- 1 root
named
424 2010-01-18 named.ip6.local
-rw-r----- 1 root
named
426 2010-01-18 named.local
-rw-r----- 1 root
named
427 2010-01-18 named.zero
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 named named
367 01-14 22:17 test.com.zone
[root@ns named]#


重新启动服务

[root@ns named]# service named restart
停止 named：
[确定]
启动 named：
[确定]
[root@ns named]#
好了 我们把named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件的权限都改为了
-rw-r----- 1 named named
那么我们的执行更安全了啊 而且所需的权限更低的

以上的测试表明：
named.conf
test.com.zone 16.168.192.in-addr.arpa.zone三个文件属主是root
执行权限需要是644
属主是named 执行权限是640
否则会服务会启动不了的

这个教程的名字是 bind中的named.conf及 解析文件权限的探讨，希望此视频和文字来抛砖引玉。 呵呵 把这个学习心得发到我的论坛去 ，希望大家多多支持哈 ……