Date: Sat, 21 Sep 2002 22:56:56 -0600 From: Brett Glass <brett@lariat.org> To: Phil Kernick <Phil@Kernick.org> Cc: The Anarcat <anarcat@anarcat.ath.cx>, freebsd-stable@FreeBSD.ORG Subject: Re: Suggested modification to default install Message-ID: <4.3.2.7.2.20020921224956.027c1850@localhost> In-Reply-To: <3D8D07E5.6010609@Kernick.org> References: <4.3.2.7.2.20020920095347.00b15f00@localhost> <20020510194022.D77057@lpt.ens.fr> <000701c1f804$47d5dc00$6401a8c0@penguin> <20020510140222.M57329@lpt.ens.fr> <15580.1017.276905.556906@guru.mired.org> <20020510194022.D77057@lpt.ens.fr> <4.3.2.7.2.20020920095347.00b15f00@localhost> <4.3.2.7.2.20020921145846.026efc50@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:59 PM 9/21/2002, Phil Kernick wrote: >But by your own logic, the permanent configuration should be in /etc which is where all the configuration file live. Not all. There are also configuration files in /usr/local/etc. Even though BIND is part of the base install, there are good arguments for moving it out to /usr/local (the primary ones being the same as for doing likewise with SSH). >/usr/local is where all of the ports put their stuff. Not just ports. Anything that's really not part of the OS goes there. Now that so many folks use BIND 9 or djbdns, I think that BIND qualifies.... >It's even reasonable to consider that the actual configuration is really named.conf, and the zone files are extras. Well, kinda sorta. Another way to look at it is that if BIND is sandboxed (which it should be!) its home directory should be in the same partition as the other home directories: /usr. >I've always really hated this approach. /usr is where the vendor supplied binaries should live, and should be able to be mounted read only to ensure that they can't easily get trojaned. > >That's why I *always* make /home a separate partition and /usr/local is *always* somewhere else (symlinked back) because both need to be written while /usr never does. I'm sure we could significantly improve security just by doing this. There are good arguments for putting home directories in /var. But as it currently stands, the convention is to put them in /usr. (I don't want to get involved in a discussion of redesigning the UNIX file system conventions here; that could go on forever. I'd like to focus on two goals: making root a synchronous partition and moving BIND's directories out of it (regardless of where they go). >While I disagree with the directory, Maybe we could make it an option? >I do agree that bind should be sandboxed by default. I agree with this. It could be done together with the move. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020921224956.027c1850>