BIND less restrictive modes and policy
Andrew Farris
lordmorgul at gmail.com
Tue Jan 22 01:17:08 UTC 2008
Enrico Scholz wrote:
> Adam Tkac <atkac at redhat.com> writes:
>
>> Also complete /var/named/* subtree will be writable by named
>
> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be writable.
> pz/ and the other parts of the chroot filesystem must be read-only for
> named.
And why exactly is that? Any reference or reason? What becomes exploitable if
that is changed?
--
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the devel
mailing list