On Tue January 22 2008, Andrew Farris wrote: > Manuel Wolfshant wrote: > > On 01/22/2008 03:17 AM, Andrew Farris wrote: > >> Enrico Scholz wrote: > >>> Adam Tkac <atkac redhat com> writes: > I'm assuming now that: > >>> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be > >>> writable. > > is necessary to function > > >>> pz/ and the other parts of the chroot filesystem must be read-only for > >>> named. > > is not necessary, only 'a good idea', a change to which you are against Making / read-only for bind is also not necessary for bind to work and also a good idea. The problem is, that it is a very rare case that something needs to be restricted to make something work. Therefore the best approach is to disallow/restrict everthing by default and only allow what is necessary to make it work, but not more. Regards, Till
Description: This is a digitally signed message part.