file perms when running bind as non-root?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Jan 13 21:33:15 UTC 2004
> What is the recommendation for securely setting up file permissions when =
> running bind as non-root?
>
> I'd like to minimize named's ability to write to directories and files =
> that it doesn't need to but this interferes with zone transfers and =
> dynamic update logs & update log rolling.
>
> What happens if it is unable to create the update log or roll it into =
> the zone, would the updates just stay in memory? Is there any directive =
> in recent bind 8s to control this? I don't care if the updates are lost =
> on a restart since my zone data is stored in an external database.
Updates will fail.
> Is this all just a waste of time?
The keep word above was "minimize". "minimize" does not mean
stopping named named writing where it needs to. It means preventing
named writing where it shouldn't.
Name has to be able to write to it working directory. It
has to be able to write to the directory containing dynamic
zones. It has to be able to write to the directory containing
slave / stub zones. It has to be able to write to the
directory containing log files.
Mark
> Thanks,
> David Sorkin
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list