[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: BIND less restrictive modes and policy

From: Andrew Farris <lordmorgul gmail com>
To: Development discussions related to Fedora <fedora-devel-list redhat com>
Subject: Re: BIND less restrictive modes and policy
Date: Tue, 22 Jan 2008 08:22:03 -0800

Till Maas wrote:

On Tue January 22 2008, Andrew Farris wrote:

Manuel Wolfshant wrote:

On 01/22/2008 03:17 AM, Andrew Farris wrote:

Enrico Scholz wrote:

Adam Tkac <atkac redhat com> writes:

I'm assuming now that:
 >>> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be
 >>> writable.

is necessary to function

 >>> pz/ and the other parts of the chroot filesystem must be read-only for
 >>> named.

is not necessary, only 'a good idea', a change to which you are against

Making / read-only for bind is also not necessary for bind to work and also agood idea. The problem is, that it is a very rare case that something needsto be restricted to make something work.

Which is precisely why I asked for clarification when it sounds like he wasclaiming it needed to be restricted (not likely to be needed).

Therefore the best approach is todisallow/restrict everthing by default and only allow what is necessary tomake it work, but not more.


No arguments here.

Regards,
Till



--
Andrew Farris <lordmorgul gmail com> <ajfarris gmail com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

References:
- BIND less restrictive modes and policy
  - From: Adam Tkac
- Re: BIND less restrictive modes and policy
  - From: Manuel Wolfshant
- Re: BIND less restrictive modes and policy
  - From: Andrew Farris
- Re: BIND less restrictive modes and policy
  - From: Till Maas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]