On Mon, Jan 21, 2008 at 02:19:02PM +0100, Florian La Roche wrote:
All other will be readable for all. Also complete /var/named/* subtree will be writable by named (for generating core files, DDNS updates, secondary servers, generally for easier configuration).
Has anyone arguments against such change?
Would it be possible to keep write access within subdirs, so that it e.g. is possible to keep master named files owned by root.root? (Not sure this buys anything, but still looks good...)
We should make /var/named directory writable for named (upstream has same opinion, see https://bugzilla.redhat.com/show_bug.cgi?id=400461#c17). So if We have this directory writable it is not needed ship /var/named/{data,slaves,dynamic} subdirectories because non-writable /var/named directory is only one reason for them. Master zones installed by default will be root:named 644 (so no write access) and other perms will be controlled by administrator. So in the end new schema will be:
- /etc/{named.conf,rndc.conf,rndc.key} + logfile non-readable for others (ok, world readable named.conf is quite suspicious so leave it private as is) - /var/named will be writable and read-only permissions will be set per-zone by admin - /var/named/* subdirectories will stop exist and files will be moved to /var/named/
Adam