BIND less restrictive modes and policy
Andrew Farris
lordmorgul at gmail.com
Tue Jan 22 16:22:03 UTC 2008
Till Maas wrote:
> On Tue January 22 2008, Andrew Farris wrote:
>> Manuel Wolfshant wrote:
>>> On 01/22/2008 03:17 AM, Andrew Farris wrote:
>>>> Enrico Scholz wrote:
>>>>> Adam Tkac <atkac at redhat.com> writes:
>
>> I'm assuming now that:
>> >>> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be
>> >>> writable.
>>
>> is necessary to function
>>
>> >>> pz/ and the other parts of the chroot filesystem must be read-only for
>> >>> named.
>>
>> is not necessary, only 'a good idea', a change to which you are against
>
> Making / read-only for bind is also not necessary for bind to work and also a
> good idea. The problem is, that it is a very rare case that something needs
> to be restricted to make something work.
Which is precisely why I asked for clarification when it sounds like he was
claiming it needed to be restricted (not likely to be needed).
> Therefore the best approach is to
> disallow/restrict everthing by default and only allow what is necessary to
> make it work, but not more.
>
No arguments here.
> Regards,
> Till
>
--
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-devel-list
mailing list