DNS on Solaris

[Mark.Andrews at nominum.com]

> In article <200002222009.VAA17777 at mail-relay.EU.net>,  <dharris at kcp.com> wrot
> e:
> >I also had problems with the BIND build on Solaris 2.7.  I also ended up
> >with the install putting files on /usr/local/etc rather than the /etc I was
> >used to.  Then I did some looking and realized I could have avoided this.
> >There are some environment variables documented in wherever your download
> >put BIND/SRC/INSTALL.  The file INSTALL includes definitions of those
> >variables.
> 
> Note that there's a very good reason why it does this.  If you use /etc,
> then *anyone* on the system can shut down named.  This is because Solaris
> doesn't implement permission checking on sockets; if a socket is in a
> world-executable directory (which /etc must be) then anyone can open and
> write to it.  BIND 8.2 listens for commands from the "ndc" program through
> the $DESTBIN/ndc socket; the way to protect it is to make $DESTBIN a
> directory that only root has access to.
> 

	Actually it is DESTRUN not DESTBIN that controls the location
	of the control socket.

	BIND 8.2.3 will use DESTRUN/ndc.d/ndc on solaris and sunos rather
	that DESTRUN/ndc.  If there are other ports that only honour the
	directory permissions let bind-bugs at isc.org know so we can set the
	feature flag on those ports to do the same.

	Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com