[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Anyone else get this error?

Subject: Re: [cobalt-security] Anyone else get this error?
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Mon, 30 Dec 2002 00:13:55 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

JL> Date: Sun, 29 Dec 2002 14:18:29 -0800
JL> From: Jeff Lasman


JL> Thanks for the great and simply-implemented suggestion...

Thanks, too, to Eugene for pointing out to check the return
output.  I probably should have indicated that wasn't to be used
verbatim, or have posted exact instructions.  In a real crontab,
I also use umask, chown, and chmod to force proper permissions.
Needless virtually 100% of the time, but harmless.

Quite frankly, I should whip up a quick 'C' program and not even
mess with shell scripting.  Check the file's existence, perms,
and its data integrity.  I dislike using Perl for sys management
because that lengthens the dependency chain...

Yes, I'm extremely picky and pedantic about the boxen I admin.
*shrug*


JL> However, I'm one of those people who thought that bind could
JL> take care if this itself.
JL>
JL> Do you see this as a problem that came about with running
JL> bind as non-root user?

I agree that BIND can take care of it on its own.  That way is
simpler, no doubt.

The main reason I have named.conf, $INCLUDE files (not standard
Cobalt), and root-zone cache owned by root:root is paranoia.  If
there's a zero-day or negative-day exploit that falls into the
wrong hands, I don't want BIND able to overwrite certain files.
It's an attempt to minimize potential damage.

Granted, there probably are bigger problems if BIND gets cracked.
However, I'm one of those paranoid minimalists; if BIND can run
with a file owned by root:root, that's how I run it.  Whether or
not it's worthwhile certainly is open to debate.

By contrast, I use default permissions on djbdns.  On the DNS
server daemon I'm writing, I have several automated updates and
functions of my own.  I'm less paranoid in these situations.

Bottom line:  BIND makes me nervous.  I think my way is a correct
way, but not _the_ correct way.  IMHO, letting BIND update the
root cache is equally valid... it just is not my personal
preference.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.

Follow-Ups:
- [cobalt-security] RE: was Anyone else get this error? [couldn't create pid file] **SOLVED**
  - From: Matt Brown
- Re: [cobalt-security] Anyone else get this error?
  - From: Eugene Crosser

References:
- Re: [cobalt-security] Anyone else get this error?
  - From: Jeff Lasman

Prev by Date: RE: [cobalt-security] Anyone else get this error?
Next by Date: [cobalt-security] RE: was Anyone else get this error? [couldn't create pid file] **SOLVED**
Previous by thread: RE: [cobalt-security] Anyone else get this error?
Next by thread: [cobalt-security] RE: was Anyone else get this error? [couldn't create pid file] **SOLVED**

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index