Date: Sun, 22 Sep 2002 13:18:55 -0400 From: The Anarcat <anarcat@anarcat.ath.cx> To: Brett Glass <brett@lariat.org> Cc: freebsd-stable@freebsd.org Subject: Re: Suggested modification to default install Message-ID: <20020922171855.GA312@lenny.anarcat.ath.cx> In-Reply-To: <4.3.2.7.2.20020921145846.026efc50@localhost> References: <4.3.2.7.2.20020920095347.00b15f00@localhost> <20020510194022.D77057@lpt.ens.fr> <000701c1f804$47d5dc00$6401a8c0@penguin> <20020510140222.M57329@lpt.ens.fr> <15580.1017.276905.556906@guru.mired.org> <20020510194022.D77057@lpt.ens.fr> <4.3.2.7.2.20020920095347.00b15f00@localhost> <4.3.2.7.2.20020921145846.026efc50@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sat Sep 21, 2002 at 03:41:55PM -0600, Brett Glass wrote:
> At 11:14 AM 9/21/2002, The Anarcat wrote:
>
> >I keep DNS data in /var/db/namedb, I don't know why it always seemed
> >fundamentally just right to me.
>
> Well, it's sort of a judgment call, because DNS data is part configuration
> (e.g. zones for which you're the master) and part ephemeral database (slave
> zones, the DDNS portions of master zones, and cache). There's a good argument
> that the ephemera ought to go out in /var while the more permanent or
> configuration-like stuff (e.g. master zones) belongs in /usr.
I don't see DNS master data as being necessarly "configuration-like",
especially on big domains which are susceptible to be externally
managed via scripts or dynamic interfaces.
The thing is that it would be ok to put BIND in /*/etc iif BIND would
be configuration-only. But it's not the case.
Even then, I don't believe configuration should necessarly belong to
/usr. This is really all arbitrary and bikeshedding.
> The problem with this is that it's desirable to sandbox (chroot) BIND.
> This, in turn, requires all the data it reads and writes to be under the
> home directory of its UID.
Which could basically be anywhere.
> So, given this constraint, I figure that /usr/local/etc/namedb is probably
> the best place all around -- and that's where I put everything.
I don't like this approach. Given this logic, mysql would run its
databases in /usr/local/etc/mysql (because there is configuration of
mysql in those dbs :), a little far-fetched, but still logical.
[snip of WC rehash]
> In any event, back to my original suggestion. What I suggest is that we
> make the root partition synchronous by default, and reconfigure BIND to
> use /usr/local/etc/namedb instead of /etc/namedb by default.
2 things: we should make BIND use $PREFIX/etc/named for its
*configuration files* (that's named.conf) and its databases should be
in /var/db/namedb. This way we don't have to give the configuration
directory to the bind user and we can give it another directory
without an arbitrary name such as /etc/named/s/ that is oddly
suggested in the config files.
> While we're at it, let's create a "sandbox" directory structure
> (similar to the one described in the Handbook) for BIND and sandbox
> it by default. There's no reason not to make sandboxing the default
> on every system, since as far as I know it won't break anything to
> do so.
Agreed. But let's put BIND databases in the database directory and no
"live files" in a potentially RO /usr/local
> Only thing is, I'm not a committer. If I get the changes ready, could someone
> look at committing them to -STABLE?
Wrong way. Code for -current, merge to stable when proven.
But sure there'll be people to do it.
A.
--
Imagination is more important than knowledge
- Albert Einstein
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9jft/ttcWHAnWiGcRAl+4AJ42sw9gdSWuI3K8KUGcsV4OJdHNLgCfcRk9
EIzY7ewWeRGx4w+LduAXPqg=
=pj3j
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020922171855.GA312>