BIND less restrictive modes and policy

Adam Tkac atkac at redhat.com
Tue Jan 22 16:26:37 UTC 2008


On Tue, Jan 22, 2008 at 09:27:14AM +0100, Enrico Scholz wrote:
> Andrew Farris <lordmorgul at gmail.com> writes:
> 
> >> pz/ and the other parts of the chroot filesystem must be read-only
> >> for named.
> >
> > And why exactly is that?
> 
> To give only the required rights is a common and working practice for
> years to secure daemons.  Fedora should not forget classical ways
> (own uid, chroot environments, restrictive permissions) just to give
> something like "easier configuration" (where I can not see how mixing
> all and everything into a single dir can ease configuration).
> 

Main reason why I want /var/named writable is because named is
designed that this directory is supossed to be writable, not easier
configuration. It really make problems sometimes when it is not writable.
And add some option to initscript which will make that directory writable
is suspicious for me.

Adam

-- 
Adam Tkac, Red Hat, Inc.




More information about the fedora-devel-list mailing list