JL> Date: Sun, 29 Dec 2002 14:18:29 -0800 JL> From: Jeff Lasman
JL> Thanks for the great and simply-implemented suggestion... Thanks, too, to Eugene for pointing out to check the return output. I probably should have indicated that wasn't to be used verbatim, or have posted exact instructions. In a real crontab, I also use umask, chown, and chmod to force proper permissions. Needless virtually 100% of the time, but harmless. Quite frankly, I should whip up a quick 'C' program and not even mess with shell scripting. Check the file's existence, perms, and its data integrity. I dislike using Perl for sys management because that lengthens the dependency chain... Yes, I'm extremely picky and pedantic about the boxen I admin. *shrug* JL> However, I'm one of those people who thought that bind could JL> take care if this itself. JL> JL> Do you see this as a problem that came about with running JL> bind as non-root user? I agree that BIND can take care of it on its own. That way is simpler, no doubt. The main reason I have named.conf, $INCLUDE files (not standard Cobalt), and root-zone cache owned by root:root is paranoia. If there's a zero-day or negative-day exploit that falls into the wrong hands, I don't want BIND able to overwrite certain files. It's an attempt to minimize potential damage. Granted, there probably are bigger problems if BIND gets cracked. However, I'm one of those paranoid minimalists; if BIND can run with a file owned by root:root, that's how I run it. Whether or not it's worthwhile certainly is open to debate. By contrast, I use default permissions on djbdns. On the DNS server daemon I'm writing, I have several automated updates and functions of my own. I'm less paranoid in these situations. Bottom line: BIND makes me nervous. I think my way is a correct way, but not _the_ correct way. IMHO, letting BIND update the root cache is equally valid... it just is not my personal preference. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
