BIND less restrictive modes and policy

Florian La Roche laroche at redhat.com
Mon Jan 21 16:10:58 UTC 2008


On Mon, Jan 21, 2008 at 04:57:21PM +0100, Adam Tkac wrote:
> On Mon, Jan 21, 2008 at 09:48:53AM -0600, Chris Adams wrote:
> > Once upon a time, Adam Tkac <atkac at redhat.com> said:
> > > - /var/named will be writable and read-only permissions will be set
> > >   per-zone by admin
> > 
> > If the directory is writable, read-only file permissions are
> > meaningless.
> > 
> 
> Maybe but what other solution will be better? I could create separate
> read-only directory inside /var/named (called "masters" for example)
> and put all read-only zones there but I'm not sure if admins will like
> it and use it.

That's why the root-only /var/named with writable subdirs was very nice.
Your points about allowing core-dumps and other things like a non-complex
setup are also valid, that's why I think we should stay thinking about
this some more before reducing the security of bind.

regards,

Florian La Roche




More information about the fedora-devel-list mailing list