Date: Sun, 03 Aug 2008 10:31:03 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Eugene Grosbein <eugen@kuzbass.ru> Cc: freebsd-net@freebsd.org Subject: Re: permissions on /etc/namedb Message-ID: <4895EB57.2000801@FreeBSD.org> In-Reply-To: <20080803073803.GA10321@grosbein.pp.ru> References: <20080803073803.GA10321@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein wrote:
> Hi!
>
> I need /etc/namedb to be owned by root:bind and have permissions 01775,
> so bind may write to it but may not overwrite files that belong to root
> here, and I made it so.
I understand your frustration with something having changed that you
did not expect. I would like to ask you though, what are you trying to
accomplish here? What you suggested isn't really good from a security
perspective because if an attacker does get in they can remove files
from the directory that are owned by root and replace them with their
own versions.
If you give me a better idea what you're trying to do then I can give
you some suggestions on how to make it happen.
> I dislike it very much when a system thinks it knows better what user needs.
So do I. :) In this case however I wanted to set up a system that is
extremely secure by default so that the average user can be
comfortable starting named in its default configuration. Obviously
expert users can tweak the thing themselves.
> Also, I do not want to move a place where bind writes its files to another
> location just because system does not want it to write here.
That's up to you of course, but it's definitely more secure in the
long run to do it that way.
hth,
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4895EB57.2000801>