[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: BIND less restrictive modes and policy



Till Maas wrote:
On Tue January 22 2008, Andrew Farris wrote:
Manuel Wolfshant wrote:
On 01/22/2008 03:17 AM, Andrew Farris wrote:
Enrico Scholz wrote:
Adam Tkac <atkac redhat com> writes:

I'm assuming now that:
 >>> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be
 >>> writable.

is necessary to function

 >>> pz/ and the other parts of the chroot filesystem must be read-only for
 >>> named.

is not necessary, only 'a good idea', a change to which you are against

Making / read-only for bind is also not necessary for bind to work and also a good idea. The problem is, that it is a very rare case that something needs to be restricted to make something work.

Which is precisely why I asked for clarification when it sounds like he was claiming it needed to be restricted (not likely to be needed).

Therefore the best approach is to disallow/restrict everthing by default and only allow what is necessary to make it work, but not more.


No arguments here.

Regards,
Till



--
Andrew Farris <lordmorgul gmail com> <ajfarris gmail com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]