Enrico Scholz wrote:
Andrew Farris <lordmorgul@xxxxxxxxx> writes:
pz/ and the other parts of the chroot filesystem must be read-only
for named.
And why exactly is that?
To give only the required rights is a common and working practice for
years to secure daemons. Fedora should not forget classical ways
(own uid, chroot environments, restrictive permissions) just to give
something like "easier configuration" (where I can not see how mixing
all and everything into a single dir can ease configuration).
I understand the idea behind minimum access restrictions; my reply/question was
in regard to the use of the word 'must' which I assumed to be more than
suggestion based on best practice (i.e. it won't work unless..). Manuel
Wolfshant said much the same that you (Enrico) did above in his reply that I
replied to... (btw.. to Manuel, sorry I did misread and reply 'to you' when
'you' and 'Enrico' were not one in the same, been a long day). Anyway, that
common practice is certainly not something that should be ignored lightly, but
lets not confuse whether it is suggestion or necessity. (that is all I was asking)
If anyone has reason to believe real *breakage* occurs due to the change Adam
Tkac was suggesting I hope they speak up.
--
Andrew Farris <lordmorgul@xxxxxxxxx> <ajfarris@xxxxxxxxx>
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
