Date: Mon, 4 Aug 2008 02:33:46 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: permissions on /etc/namedb Message-ID: <20080803183346.GA53252@svzserv.kemerovo.su> In-Reply-To: <4895EB57.2000801@FreeBSD.org> References: <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
On Sun, Aug 03, 2008 at 10:31:03AM -0700, Doug Barton wrote: > >I need /etc/namedb to be owned by root:bind and have permissions 01775, > >so bind may write to it but may not overwrite files that belong to root > >here, and I made it so. > I understand your frustration with something having changed that you > did not expect. I would like to ask you though, what are you trying to > accomplish here? What you suggested isn't really good from a security > perspective because if an attacker does get in they can remove files > from the directory that are owned by root and replace them with their > own versions. Can he? Doesn't sticky bit on the directory prevent him from that? > If you give me a better idea what you're trying to do then I can give > you some suggestions on how to make it happen. Well, I just want bind be allowed to write to is working directory. Yes, it's possible to redefine it but I'd rather avoid this, to not break existing setups. > >I dislike it very much when a system thinks it knows better what user > >needs. > > So do I. :) In this case however I wanted to set up a system that is > extremely secure by default so that the average user can be > comfortable starting named in its default configuration. I agree completly. > Obviously expert users can tweak the thing themselves. So, the question is: how to tweak? > >Also, I do not want to move a place where bind writes its files to another > >location just because system does not want it to write here. > > That's up to you of course, but it's definitely more secure in the > long run to do it that way. But that way prevents named to write to its working directory, this bothers me. Eugene Grosbeinhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080803183346.GA53252>