[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: BIND less restrictive modes and policy



Adam Tkac wrote:
Hi all,

I'm going to do major revision of bind's file modes. Currenly We have
many files readable only by root and I can't see any reason why keep
binaries unreadable and unexecutable by other users. Also there isn't
any reason why keep configuration private. Only this files should not
be readable by other users:
- /etc/rndc.key - who has it may control server through rndc utility
- /var/log/named.log - will have sensitive information

All other will be readable for all. Also complete /var/named/* subtree
will be writable by named (for generating core files, DDNS updates,
secondary servers, generally for easier configuration).

Has anyone arguments against such change?

Regards, Adam

Just a comment, that probably needs to accompany selinux policy adjustments (or rather, without change in policy other users won't have access even with mode changes)?

--
Andrew Farris <lordmorgul gmail com> <ajfarris gmail com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]