You should use freebsd-net_at_ for this kind of questions I think. > have installed FreeBSD 5.3 with Bind integrated in it. named is running in > chroot, with user bind, so every file in /etc/namedb is owned by > bind:wheel, exept rndc.key. (i have also rndc.conf with owner bind) > and it is impossible to start make rndc reload. if i change owner on > rndc.key it is working but is it a security issue, user who is running > named (bind) to have acceess to rndc.key. How does named(8) could know that the secret provided by rndc(8) is the correct one if it does not have access to it ? This is a shared secret. Either user running named(8) and the one running rndc(8) must have access to the secret. Let's say you have named(8) running under user "bind" and the rndc user running under user "rndc" and both belongs to group "bind". Make rndc.key owned my "root:bind" and use the mode 0640. Therefore only root will be able to modify the key whereas named(8) and rndc(8) will be able to read it. Anyway, if your bind(8) is compromised, whether th attacker can read your shared secret or not is pointless : you will have to change it anyway. Best regards, -- Jeremie Le Hen jeremie_at_le-hen.orgReceived on Wed Jan 19 2005 - 19:39:22 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:26 UTC