[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)



* Javier Fern?ndez-Sanguino Pe?a (jfs@dat.etsit.upm.es) wrote:
> 	No, no folly. Please think a moment. What permissions are you
> suggestion for master zone files? 644 with root:root? That's plain wrong,
> I don't want my master zone files to be accesible by any other process
> than the name server. That's sensible information, you do disable zone 
> transfers don't you?

'everyone' on a system is not the same as 'everyone' on the entire
network.  DNS servers should have a very minimal set of users in any
case.  This can be handled by having the user/group created on package
install.

> That means that the only sensible permissions for master zone files are 
> 640 root:named, or, if you do want the named server to modify them 640
> named:named.
> 
> Do you agree with me here?

I certainly wouldn't want named to modify my zone files, I'm not sure
but I don't believe even dynamic DNS setups modify the base zone files.
I confess that I'm not sure on that though.  Regardless, it's been
pointed out that zone information may not be shareable trivially between
daemons which means adding a user/group when the package is installed 
should be fine, and will handle your concerns.

> 	Wrong again, I don't want normal users accessing my name server
> files, or any rogue process for that matter (apache-ssl, hint, hint). If
> we are not going to provide chrooted environments for *all* open services
> I want configuration files isolated from one another and protected from
> local users.

'hint, hint', you should isolate your services to begin with (to be sure
you understand my meaning: perhaps you should consider having seperate
machines for dns and web?); that's just basic security architecture.
This can all be done by having the user/group created when the package is
installed anyway.

	Stephen

Attachment: pgp8zieNkwkUE.pgp
Description: PGP signature


Reply to: