Andrew Farris wrote:
No, Enrico's reply was based on best practices and common sense, not on "mandatory, otherwise it will break things". Adam's suggestion will just lower an already existing level of security.Enrico Scholz wrote:Andrew Farris <lordmorgul gmail com> writes:pz/ and the other parts of the chroot filesystem must be read-only for named.And why exactly is that?To give only the required rights is a common and working practice for years to secure daemons. Fedora should not forget classical ways (own uid, chroot environments, restrictive permissions) just to give something like "easier configuration" (where I can not see how mixing all and everything into a single dir can ease configuration).I understand the idea behind minimum access restrictions; my reply/question was in regard to the use of the word 'must' which I assumed to be more than suggestion based on best practice (i.e. it won't work unless..).
Anyway, that common practice is certainly not something that should be ignored lightly, but lets not confuse whether it is suggestion or necessity. (that is all I was asking)It will not break anything but best security practices, but will bring no benefit either. I support 1000.00 % Enrico's view. Having a single directory with all zone files will not bring anything useful. OTOH (this is a digression, I know) it WOULD be useful if bind would include support for real database backends.If anyone has reason to believe real *breakage* occurs due to the change Adam Tkac was suggesting I hope they speak up.
FWIW: Ever since 2000 I do "split DNS" by running two different daemons, chrooted each one it its own directory, rather then "different external / internal" views. If someone is to break my external named, (s)he will (or should) be chroot-ed to external named's directory and hopefully will not be able to find out information about my internal networks.