A few days ago, while reloading DNS on a server, I noticed an issue in the log:
Jul 31 11:29:50 admin named[6098]: the working directory is not writable
First, let's talk about how this error was caught. When doing various tasks, I often tail the log to watch the process do its thing. In this case, here's what I did:
$ sudo ls
$ rndc reload; sudo tail -f /var/log/messages
Why start off with the sudo ls? Essentially, all I'm doing is getting my password issues out of the way so that when I issue the sudo tail command, I won't be bothered with password stuff. If you don't do this, then you'll be asked for your password before the tail, and you'll likely miss seeing the messages that pop up pertaining to your rndc reload.
So, after doing that, I saw the aforementioned log message. Based on the log message, I assumed that there was some sort of permissions issue here. However, we've been using BIND for a while, so it would surprise me that we have a basic permissions issue. But in my investigation (yea for Google), that was exactly the problem: the named directory was not group writable and needed to be.
Changing the named directory's permissions was an easy trick. After changing into named's parent directory (in our case, that's a rather complicated deal: /var/named/chroot/var/), I simply issued this command:
$ sudo chmod g+w named
This command makes the directory writable by the group and not just the owner (the permissions should look something like this: "drwxrwx–––"). I reloaded, and the error no longer popped up in the logs.
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
Hi,
Instead of "sudo ls", you can also do "sudo -v", just to 'validate' yourself for the next few minutes. The sudo manpage says:
-v If given the -v (validate) option, sudo will update the user's
timestamp, prompting for the user's password if necessary. This
extends the sudo timeout for another 5 minutes (or whatever the
timeout is set to in sudoers) but does not run a command.
That's a good idea Dimitry!
Once the named server is restarted by doing /etc/rc.d/named restart under FreeBSD the permissions are reset back to their previous values and the error reappears.
Still haven't found a good solution..
I found a way to fix it permantently, ..
Change in /etc/mtree/BIND.chroot.dist
/set type=dir uname=root gname=wheel mode=0755
to
/set type=dir uname=bind gname=wheel mode=0755
I think you meant:
/set type=dir uname=bind gname=wheel mode=0775
Thanx it works
Change in /etc/mtree/BIND.chroot.dist
/set type=dir uname=root gname=wheel mode=0755
to
/set type=dir uname=bind gname=wheel mode=0755
Reply
hhmmmmmm!!!!
nice trick!!
[...] [DNS/BIND Issue: “named: the working directory is not writable” | Slaptijack] [...]
I noticed the same error today in a log with my monthly log review. Your solution worked perfectly! Thanks for the great blog!
[...] The solution to this error can be found here: http://slaptijack.com/system-administration/dnsbind-issue-named-the-working-directory-is-not-writabl... [...]
Hey Guys,
in centos 5 the startscript /etc/init.d/named resets the permissions. Look for multple lines and just delete the "--from" statement.
"/bin/chown -f --from=root:named named:named $ROOTDIR/var/named"
and everything is fine ;-)
Greets
If you dont like typing in your password for sudo constantly, you can configure sudo to not ask for a password for your user or group:
add to /etc/sudoers:
USERNAME ALL=(ALL) ALL
- or -
%GROUPNAME ALL=(ALL) ALL
While this makes the error message go away, I believe you leave yourself with an insecure environment.
BIND doesn't need to be able to write to its root directory. Instead, you're (above) giving permission to named to change named.conf. If anything compromised bind, it can then rewrite the config file. Not optimal.