Re: BIND less restrictive modes and policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/22/2008 03:17 AM, Andrew Farris wrote:

Enrico Scholz wrote:

Adam Tkac <atkac@xxxxxxxxxx> writes:


Also complete /var/named/* subtree will be writable by named
This is bad. Only the slaves/ and data/ (for DDNS) dirs must be writable. 
pz/ and the other parts of the chroot filesystem must be read-only for
named.
And why exactly is that? Any reference or reason? What becomes exploitable if that is changed?
Bind DID have security issues in the past, providing remote root. Just because we have selinux and that as far as we know NOW there are no atack methods is not a reason to lower the difficulty bar. Just give any application the minimum rights needed to do what it has to do. Any method which raises the difficulty bar for a potential attacker -- especially when it is already available and taking into consideration potential DNS poisoning attacks -- is good. Lowering the bar with no real gain is bad. 

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux