On Oct 4, 2004, at 10:48 PM, Makoto Matsushita wrote: > [ ...hier compliance... ] Yes, the named configuration file (I > believe it is considered generally as important), master zone files > (also important, at least for me), are located under "/var." > > So here's my question to all "running named with chroot sandobx" > users: are you ok with such important file is under /var? You raise a point that is worth considering. FWIW, I was running nameservers with the config file at /etc/named.conf before the ability to chroot() was available. However, the point can be answered in that it is entirely reasonable to have something like: named_enable="YES" named_flags="-u bind -g bind -c /etc/named.conf" ...in /etc/rc.conf and then do whatever you like under /var/named. Some people want all of the zone files in one place, others want to use s/ and /m (or slave/ and master/). Zone file naming conventions also vary: some append .rev and .db to zone files, some use just the former and not the latter; etc. So long as the options support reasonable flexibility and do not break backwards compatibility too much, any reasonable default is OK, and Doug as maintainer is making a reasonable attempt to improve the security of a daemon that many FreeBSD systems use. Yay! I suppose the situation could be improved by having some shell script which converts pre-chrooted named configs (at least the prior default config from 4.x) into the new layout, perhaps by creating symlinks from the current locations into the chroot tree under /var/named. Would something like that help address your concerns? -- -ChuckReceived on Tue Oct 05 2004 - 01:39:43 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:15 UTC