permissions on /etc/namedb
Eugene Grosbein
eugen at kuzbass.ru
Mon Aug 4 06:07:02 UTC 2008
On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote:
> >>>I need /etc/namedb to be owned by root:bind and have permissions 01775,
> >>>so bind may write to it but may not overwrite files that belong to root
> >>>here, and I made it so.
> >>I understand your frustration with something having changed that you
> >>did not expect. I would like to ask you though, what are you trying to
> >>accomplish here? What you suggested isn't really good from a security
> >>perspective because if an attacker does get in they can remove files
> >>from the directory that are owned by root and replace them with their
> >>own versions.
> >
> >Can he? Doesn't sticky bit on the directory prevent him from that?
>
> That's a question that you can and should answer for yourself.
That was rhetorical quostion - I wished to give you a chance
to correct yourself :-) Cheer :-)
> (In fact one could argue that you should have answered that for yourself
> before you tried to set it up that way, but I digress.) :)
I knew right answer before tried to set up that way.
> >>If you give me a better idea what you're trying to do then I can give
> >>you some suggestions on how to make it happen.
> >
> >Well, I just want bind be allowed to write to is working directory.
>
> I think that your idea of "BIND's working directory" is probably
> flawed
That's not my idea. From /var/log/messages:
Aug 3 15:02:18 host named[657]: the working directory is not writable
> but if what you want is to make /etc/namedb writable by the
> bind user and have it persist from boot to boot someone else already
> told you how to do that, so good luck.
Sigh... I have to study mtree now. And for what reason?
Just because the system thinks it knows better what user needs.
Eugene Grosbein
More information about the freebsd-net
mailing list