Date: Mon, 4 Aug 2008 02:33:46 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: permissions on /etc/namedb Message-ID: <20080803183346.GA53252@svzserv.kemerovo.su> In-Reply-To: <4895EB57.2000801@FreeBSD.org> References: <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 03, 2008 at 10:31:03AM -0700, Doug Barton wrote: > >I need /etc/namedb to be owned by root:bind and have permissions 01775, > >so bind may write to it but may not overwrite files that belong to root > >here, and I made it so. > I understand your frustration with something having changed that you > did not expect. I would like to ask you though, what are you trying to > accomplish here? What you suggested isn't really good from a security > perspective because if an attacker does get in they can remove files > from the directory that are owned by root and replace them with their > own versions. Can he? Doesn't sticky bit on the directory prevent him from that? > If you give me a better idea what you're trying to do then I can give > you some suggestions on how to make it happen. Well, I just want bind be allowed to write to is working directory. Yes, it's possible to redefine it but I'd rather avoid this, to not break existing setups. > >I dislike it very much when a system thinks it knows better what user > >needs. > > So do I. :) In this case however I wanted to set up a system that is > extremely secure by default so that the average user can be > comfortable starting named in its default configuration. I agree completly. > Obviously expert users can tweak the thing themselves. So, the question is: how to tweak? > >Also, I do not want to move a place where bind writes its files to another > >location just because system does not want it to write here. > > That's up to you of course, but it's definitely more secure in the > long run to do it that way. But that way prevents named to write to its working directory, this bothers me. Eugene Grosbein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080803183346.GA53252>