permissions on /etc/namedb
eugen at kuzbass.ru
Sun Aug 3 18:50:40 UTC 2008
On Sun, Aug 03, 2008 at 10:31:03AM -0700, Doug Barton wrote:
> >I need /etc/namedb to be owned by root:bind and have permissions 01775,
> >so bind may write to it but may not overwrite files that belong to root
> >here, and I made it so.
> I understand your frustration with something having changed that you
> did not expect. I would like to ask you though, what are you trying to
> accomplish here? What you suggested isn't really good from a security
> perspective because if an attacker does get in they can remove files
> from the directory that are owned by root and replace them with their
> own versions.
Can he? Doesn't sticky bit on the directory prevent him from that?
> If you give me a better idea what you're trying to do then I can give
> you some suggestions on how to make it happen.
Well, I just want bind be allowed to write to is working directory.
Yes, it's possible to redefine it but I'd rather avoid this,
to not break existing setups.
> >I dislike it very much when a system thinks it knows better what user
> So do I. :) In this case however I wanted to set up a system that is
> extremely secure by default so that the average user can be
> comfortable starting named in its default configuration.
I agree completly.
> Obviously expert users can tweak the thing themselves.
So, the question is: how to tweak?
> >Also, I do not want to move a place where bind writes its files to another
> >location just because system does not want it to write here.
> That's up to you of course, but it's definitely more secure in the
> long run to do it that way.
But that way prevents named to write to its working directory,
this bothers me.
More information about the freebsd-net