BIND less restrictive modes and policy
Till Maas
opensource at till.name
Tue Jan 22 16:10:33 UTC 2008
On Tue January 22 2008, Andrew Farris wrote:
> Manuel Wolfshant wrote:
> > On 01/22/2008 03:17 AM, Andrew Farris wrote:
> >> Enrico Scholz wrote:
> >>> Adam Tkac <atkac at redhat.com> writes:
> I'm assuming now that:
> >>> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be
> >>> writable.
>
> is necessary to function
>
> >>> pz/ and the other parts of the chroot filesystem must be read-only for
> >>> named.
>
> is not necessary, only 'a good idea', a change to which you are against
Making / read-only for bind is also not necessary for bind to work and also a
good idea. The problem is, that it is a very rare case that something needs
to be restricted to make something work. Therefore the best approach is to
disallow/restrict everthing by default and only allow what is necessary to
make it work, but not more.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20080122/f822291d/attachment-0002.bin
More information about the devel
mailing list