DNS on Solaris
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Tue Feb 22 22:37:53 UTC 2000
> In article <200002222009.VAA17777 at mail-relay.EU.net>, <dharris at kcp.com> wrot
> e:
> >I also had problems with the BIND build on Solaris 2.7. I also ended up
> >with the install putting files on /usr/local/etc rather than the /etc I was
> >used to. Then I did some looking and realized I could have avoided this.
> >There are some environment variables documented in wherever your download
> >put BIND/SRC/INSTALL. The file INSTALL includes definitions of those
> >variables.
>
> Note that there's a very good reason why it does this. If you use /etc,
> then *anyone* on the system can shut down named. This is because Solaris
> doesn't implement permission checking on sockets; if a socket is in a
> world-executable directory (which /etc must be) then anyone can open and
> write to it. BIND 8.2 listens for commands from the "ndc" program through
> the $DESTBIN/ndc socket; the way to protect it is to make $DESTBIN a
> directory that only root has access to.
>
Actually it is DESTRUN not DESTBIN that controls the location
of the control socket.
BIND 8.2.3 will use DESTRUN/ndc.d/ndc on solaris and sunos rather
that DESTRUN/ndc. If there are other ports that only honour the
directory permissions let bind-bugs at isc.org know so we can set the
feature flag on those ports to do the same.
Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list