BIND less restrictive modes and policy
Andrew Farris
lordmorgul at gmail.com
Tue Jan 22 08:50:16 UTC 2008
Enrico Scholz wrote:
> Andrew Farris <lordmorgul at gmail.com> writes:
>
>>> pz/ and the other parts of the chroot filesystem must be read-only
>>> for named.
>> And why exactly is that?
>
> To give only the required rights is a common and working practice for
> years to secure daemons. Fedora should not forget classical ways
> (own uid, chroot environments, restrictive permissions) just to give
> something like "easier configuration" (where I can not see how mixing
> all and everything into a single dir can ease configuration).
I understand the idea behind minimum access restrictions; my reply/question was
in regard to the use of the word 'must' which I assumed to be more than
suggestion based on best practice (i.e. it won't work unless..). Manuel
Wolfshant said much the same that you (Enrico) did above in his reply that I
replied to... (btw.. to Manuel, sorry I did misread and reply 'to you' when
'you' and 'Enrico' were not one in the same, been a long day). Anyway, that
common practice is certainly not something that should be ignored lightly, but
lets not confuse whether it is suggestion or necessity. (that is all I was asking)
If anyone has reason to believe real *breakage* occurs due to the change Adam
Tkac was suggesting I hope they speak up.
--
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the devel
mailing list