Date: Mon, 4 Aug 2008 14:06:58 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: permissions on /etc/namedb Message-ID: <20080804060658.GA19639@svzserv.kemerovo.su> In-Reply-To: <4896997D.8060001@FreeBSD.org> References: <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org> <20080803183346.GA53252@svzserv.kemerovo.su> <4896997D.8060001@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote: > >>>I need /etc/namedb to be owned by root:bind and have permissions 01775, > >>>so bind may write to it but may not overwrite files that belong to root > >>>here, and I made it so. > >>I understand your frustration with something having changed that you > >>did not expect. I would like to ask you though, what are you trying to > >>accomplish here? What you suggested isn't really good from a security > >>perspective because if an attacker does get in they can remove files > >>from the directory that are owned by root and replace them with their > >>own versions. > > > >Can he? Doesn't sticky bit on the directory prevent him from that? > > That's a question that you can and should answer for yourself. That was rhetorical quostion - I wished to give you a chance to correct yourself :-) Cheer :-) > (In fact one could argue that you should have answered that for yourself > before you tried to set it up that way, but I digress.) :) I knew right answer before tried to set up that way. > >>If you give me a better idea what you're trying to do then I can give > >>you some suggestions on how to make it happen. > > > >Well, I just want bind be allowed to write to is working directory. > > I think that your idea of "BIND's working directory" is probably > flawed That's not my idea. From /var/log/messages: Aug 3 15:02:18 host named[657]: the working directory is not writable > but if what you want is to make /etc/namedb writable by the > bind user and have it persist from boot to boot someone else already > told you how to do that, so good luck. Sigh... I have to study mtree now. And for what reason? Just because the system thinks it knows better what user needs. Eugene Grosbein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080804060658.GA19639>