[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: BIND less restrictive modes and policy

On Tue January 22 2008, Andrew Farris wrote:
> Manuel Wolfshant wrote:
> > On 01/22/2008 03:17 AM, Andrew Farris wrote:
> >> Enrico Scholz wrote:
> >>> Adam Tkac <atkac redhat com> writes:

> I'm assuming now that:
>  >>> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be
>  >>> writable.
> is necessary to function
>  >>> pz/ and the other parts of the chroot filesystem must be read-only for
>  >>> named.
> is not necessary, only 'a good idea', a change to which you are against

Making / read-only for bind is also not necessary for bind to work and also a 
good idea. The problem is, that it is a very rare case that something needs 
to be restricted to make something work. Therefore the best approach is to 
disallow/restrict everthing by default and only allow what is necessary to 
make it work, but not more.


Attachment: signature.asc
Description: This is a digitally signed message part.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]