Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Aug 2001 14:46:27 +0100
From:      Brian Somers <brian@Awfulhak.org>
To:        Sheldon Hearn <sheldonh@starjuice.net>
Cc:        Brian Somers <brian@Awfulhak.org>, Joshua Goodall <joshua@roughtrade.net>, Giorgos Keramidas <keramida@ceid.upatras.gr>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@freebsd-services.com, brian@freebsd-services.com
Subject:   Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf 
Message-ID:  <200108291346.f7TDkRf76403@hak.lan.Awfulhak.org>
In-Reply-To: Message from Sheldon Hearn <sheldonh@starjuice.net>  of "Wed, 29 Aug 2001 15:30:58 %2B0200." <76675.999091858@axl.seasidesoftware.co.za> 

next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 29 Aug 2001 14:09:14 +0100, Brian Somers wrote:
> 
> > For the n'th time on this thread, everyone that has
> > 
> >   named_enable=YES
> > 
> > in /etc/rc.conf and don't have ``named_flags='' will now have named 
> > running with -u bind and will not be able to update their secondary 
> > zone files.
> 
> Why?  The same mergemaster that changes named_flags in
> /etc/defaults/rc.conf will also change /etc/namedb/named.conf .

What, you have a live nameserver that has a configuration that even 
closely resembles the distributed named.conf ?  Why do I find that 
difficult to believe ?

Remember, we're not talking about scratch boxes here, we're talking 
about this change not being appropriate for -stable (production).

> > Now perhaps someone can tell me what the purpose of this blatant
> > -minded breakage is.  What do we gain by changing the default 
> > variable values for a service that has never been enabled by default ?
> 
> We gain protection of a significant number of entry-level administrators
> from potential root exploits.

This was already half achieved by the presence of the commented out 
named_flags variable.  Adding a comment to impress on people that 
using -u bind is more secure would have been a good change.  Removing 
the # so that configurations break is.... well, see above.

> I ignored the rest of your message because it only applies if you're
> right about the impact, and I don't think you are.

If you've got no facts then we've got nothing to discuss.  What 
exactly do you mean when you say you don't think I'm right ?  Are you 
saying that you don't think there are any users out there that query 
on port 53 or that have read-only-by-root key files ?  Or are you 
saying that they had better be smart enough to drop a named_enable= 
in their rc.conf to counter a gratuitous change ?

> Ciao,
> Sheldon.

-- 
Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108291346.f7TDkRf76403>