BIND 10 #1042: default value for sysconfdir
BIND 10 Development
do-not-reply at isc.org
Tue Sep 6 16:16:07 UTC 2011
#1042: default value for sysconfdir
-------------------------------------+-------------------------------------
Reporter: cas | Owner:
Type: | Status: new
enhancement | Milestone: Next-Sprint-
Priority: major | Proposed
Component: | Resolution:
configuration | Sensitive: 0
Keywords: | Sub-Project: Core
Defect Severity: N/A | Estimated Difficulty: 2.0
Feature Depending on Ticket: | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by cas):
As an Unix admin I expect configuration files in either /etc or
/etc/<productname> by default.
I have seen (and actually written and implemented) security policies for
Internet facing systems where /usr had to be a read-only mount.
On Solaris and Linux I usually have the DNS Server inside a container (LXC
or Solaris Zones) where /usr is mapped/mounted from the host base OS and
is read-only. Inside such containers, only /etc and /var are writeable.
This is usually done to prevent an attacker to change the binaries below
/usr
--
Ticket URL: <https://bind10.isc.org/ticket/1042#comment:5>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list