Enrico Scholz wrote:
Andrew Farris lordmorgul@gmail.com writes:
pz/ and the other parts of the chroot filesystem must be read-only for named.
And why exactly is that?
To give only the required rights is a common and working practice for years to secure daemons. Fedora should not forget classical ways (own uid, chroot environments, restrictive permissions) just to give something like "easier configuration" (where I can not see how mixing all and everything into a single dir can ease configuration).
I understand the idea behind minimum access restrictions; my reply/question was in regard to the use of the word 'must' which I assumed to be more than suggestion based on best practice (i.e. it won't work unless..). Manuel Wolfshant said much the same that you (Enrico) did above in his reply that I replied to... (btw.. to Manuel, sorry I did misread and reply 'to you' when 'you' and 'Enrico' were not one in the same, been a long day). Anyway, that common practice is certainly not something that should be ignored lightly, but lets not confuse whether it is suggestion or necessity. (that is all I was asking)
If anyone has reason to believe real *breakage* occurs due to the change Adam Tkac was suggesting I hope they speak up.