BIND less restrictive modes and policy
Florian La Roche
laroche at redhat.com
Mon Jan 21 13:19:02 UTC 2008
Hello Adam,
On Mon, Jan 21, 2008 at 12:57:38PM +0100, Adam Tkac wrote:
> Hi all,
>
> I'm going to do major revision of bind's file modes. Currenly We have
> many files readable only by root and I can't see any reason why keep
> binaries unreadable and unexecutable by other users. Also there isn't
> any reason why keep configuration private. Only this files should not
> be readable by other users:
> - /etc/rndc.key - who has it may control server through rndc utility
> - /var/log/named.log - will have sensitive information
ok
>
> All other will be readable for all. Also complete /var/named/* subtree
> will be writable by named (for generating core files, DDNS updates,
> secondary servers, generally for easier configuration).
>
> Has anyone arguments against such change?
Would it be possible to keep write access within subdirs, so that
it e.g. is possible to keep master named files owned by root.root?
(Not sure this buys anything, but still looks good...)
regards,
Florian La Roche
More information about the fedora-devel-list
mailing list