Tom Horsley wrote:
> Why not just *always* run bind chroot?
I'm guessing it's because, in general, Fedora is moving away from
chroot and toward SELinux to provide extra security for these sorts of
services?
> Have the files live in /var/named, then updates just update the one
> and only copy in /var/named? If someone somewhere really and truly
> doesn't want to run chroot, provide a --prefix option in named so he
> can tell it the config files are relative to /var/named instead of
> relative to /, but in any case the config files always live in one
> and only one place.
That sounds like it would entail a similar amount of extra work and
chances for introducing bugs that the bind-chroot-admin script had.
If the bind daemon really is only trusted by admins when it is in a
chroot, it might be a good reason to look at alternative DNS server
software. :)
I don't personally have much interest in this, but if other folks do,
I'm sure suggestions in patch form would be taken more seriously by
the bind maintainers (preferably upstream).
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I expected times like this -- but never thought they'd be so bad, so
long, and so frequent.
-- Demotivators (www.despair.com)
Attachment:
pgpNgD47o37U1.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
