BIND less restrictive modes and policy
Andrew Farris
lordmorgul at gmail.com
Mon Jan 21 12:13:14 UTC 2008
Adam Tkac wrote:
> Hi all,
>
> I'm going to do major revision of bind's file modes. Currenly We have
> many files readable only by root and I can't see any reason why keep
> binaries unreadable and unexecutable by other users. Also there isn't
> any reason why keep configuration private. Only this files should not
> be readable by other users:
> - /etc/rndc.key - who has it may control server through rndc utility
> - /var/log/named.log - will have sensitive information
>
> All other will be readable for all. Also complete /var/named/* subtree
> will be writable by named (for generating core files, DDNS updates,
> secondary servers, generally for easier configuration).
>
> Has anyone arguments against such change?
>
> Regards, Adam
Just a comment, that probably needs to accompany selinux policy adjustments (or
rather, without change in policy other users won't have access even with mode
changes)?
--
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-devel-list
mailing list