Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)

To: debian-devel@lists.debian.org
Subject: Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Tue, 17 Sep 2002 09:58:37 +0200
Message-id: <[🔎] 20020917075837.GA18883@dat.etsit.upm.es>
In-reply-to: <[🔎] 20020916194132.GD6728@misery.proulx.com>
References: <[🔎] 20020910191448.GA25311@chunk.voxel.net> <[🔎] 20020916161410.GA4364@dat.etsit.upm.es> <[🔎] 20020916161942.GE1324@ns> <[🔎] 200209161852.02908.russell@coker.com.au> <[🔎] 20020916171734.GA6322@dat.etsit.upm.es> <[🔎] 20020916174142.GH1324@ns> <[🔎] 20020916175337.GA7453@dat.etsit.upm.es> <[🔎] 20020916181131.GI1324@ns> <[🔎] 20020916194132.GD6728@misery.proulx.com>

On Mon, Sep 16, 2002 at 01:41:32PM -0600, Bob Proulx wrote:
> Agreed. <Alarm Bells!> The entire purpose of running named as special
> account is to restrict any access to the filesystem if the daemon is
> cracked.  Therefore assuming a 'named' user as is typical for running
> named non-root, then zero configuration files, absolutely none, should
> ever be owned by the 'named' user.  All configuration files should be
> owned by 'root' to keep them safe from damage in the case of a
> successful attack against the daemon.

Having them readable (but not writable) by the daemon keeps them safe
against attack *and* permits administators to set tighter ownerships (no
o+rX, mind you)

> Agreed.

I (mostly) agree, and I stand corrected as for the possibility of sharing
zone configuration files (which seems not be possible even if it would be
a big plus). However, I would still suggest that zone configuration files
(which should probably *not* be cleared by a --purge, ala /var/www) should
be 640 root:named and not 644 root:root.

However (and I have not investigated this issue) if bind when using -u/-g
is able to read 640 root:root files I would happily abide with the
opinion of the vast majority :)

Javi

Reply to:

References:
- NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Andres Salomon <dilinger@mp3revolution.net>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Stephen Frost <sfrost@snowman.net>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Russell Coker <russell@coker.com.au>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Stephen Frost <sfrost@snowman.net>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Javier Fernández-Sanguino Peña <jfs@dat.etsit.upm.es>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: Stephen Frost <sfrost@snowman.net>
- Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
  - From: bob@proulx.com (Bob Proulx)

Prev by Date: Re: Accepted po-debconf 0.2.2 (all source)
Next by Date: Re: Seeking help to resolve a lintian request
Previous by thread: Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
Next by thread: Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)
Index(es):
- Date
- Thread