[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: BIND less restrictive modes and policy



Enrico Scholz wrote:
Andrew Farris <lordmorgul gmail com> writes:

pz/ and the other parts of the chroot filesystem must be read-only
for named.
And why exactly is that?

To give only the required rights is a common and working practice for
years to secure daemons.  Fedora should not forget classical ways
(own uid, chroot environments, restrictive permissions) just to give
something like "easier configuration" (where I can not see how mixing
all and everything into a single dir can ease configuration).

I understand the idea behind minimum access restrictions; my reply/question was in regard to the use of the word 'must' which I assumed to be more than suggestion based on best practice (i.e. it won't work unless..). Manuel Wolfshant said much the same that you (Enrico) did above in his reply that I replied to... (btw.. to Manuel, sorry I did misread and reply 'to you' when 'you' and 'Enrico' were not one in the same, been a long day). Anyway, that common practice is certainly not something that should be ignored lightly, but lets not confuse whether it is suggestion or necessity. (that is all I was asking)

If anyone has reason to believe real *breakage* occurs due to the change Adam Tkac was suggesting I hope they speak up.

--
Andrew Farris <lordmorgul gmail com> <ajfarris gmail com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]