* Javier Fern?ndez-Sanguino Pe?a (jfs@dat.etsit.upm.es) wrote: > No, no folly. Please think a moment. What permissions are you > suggestion for master zone files? 644 with root:root? That's plain wrong, > I don't want my master zone files to be accesible by any other process > than the name server. That's sensible information, you do disable zone > transfers don't you? 'everyone' on a system is not the same as 'everyone' on the entire network. DNS servers should have a very minimal set of users in any case. This can be handled by having the user/group created on package install. > That means that the only sensible permissions for master zone files are > 640 root:named, or, if you do want the named server to modify them 640 > named:named. > > Do you agree with me here? I certainly wouldn't want named to modify my zone files, I'm not sure but I don't believe even dynamic DNS setups modify the base zone files. I confess that I'm not sure on that though. Regardless, it's been pointed out that zone information may not be shareable trivially between daemons which means adding a user/group when the package is installed should be fine, and will handle your concerns. > Wrong again, I don't want normal users accessing my name server > files, or any rogue process for that matter (apache-ssl, hint, hint). If > we are not going to provide chrooted environments for *all* open services > I want configuration files isolated from one another and protected from > local users. 'hint, hint', you should isolate your services to begin with (to be sure you understand my meaning: perhaps you should consider having seperate machines for dns and web?); that's just basic security architecture. This can all be done by having the user/group created when the package is installed anyway. Stephen
Attachment:
pgpLkv139B5RN.pgp
Description: PGP signature