Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 4 Aug 2008 14:06:58 +0800
From:      Eugene Grosbein <eugen@kuzbass.ru>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: permissions on /etc/namedb
Message-ID:  <20080804060658.GA19639@svzserv.kemerovo.su>
In-Reply-To: <4896997D.8060001@FreeBSD.org>
References:  <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org> <20080803183346.GA53252@svzserv.kemerovo.su> <4896997D.8060001@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail 

On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote:

> >>>I need /etc/namedb to be owned by root:bind and have permissions 01775,
> >>>so bind may write to it but may not overwrite files that belong to root
> >>>here, and I made it so. 
> >>I understand your frustration with something having changed that you 
> >>did not expect. I would like to ask you though, what are you trying to 
> >>accomplish here? What you suggested isn't really good from a security 
> >>perspective because if an attacker does get in they can remove files 
> >>from the directory that are owned by root and replace them with their 
> >>own versions.
> >
> >Can he? Doesn't sticky bit on the directory prevent him from that?
> 
> That's a question that you can and should answer for yourself.

That was rhetorical quostion - I wished to give you a chance
to correct yourself :-) Cheer :-)

> (In fact one could argue that you should have answered that for yourself 
> before you tried to set it up that way, but I digress.) :)

I knew right answer before tried to set up that way.

> >>If you give me a better idea what you're trying to do then I can give 
> >>you some suggestions on how to make it happen.
> >
> >Well, I just want bind be allowed to write to is working directory.
> 
> I think that your idea of "BIND's working directory" is probably 
> flawed

That's not my idea. From /var/log/messages:

Aug  3 15:02:18 host named[657]: the working directory is not writable

> but if what you want is to make /etc/namedb writable by the 
> bind user and have it persist from boot to boot someone else already 
> told you how to do that, so good luck.

Sigh... I have to study mtree now. And for what reason?
Just because the system thinks it knows better what user needs.

Eugene Grosbein
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080804060658.GA19639>