Menu
▾
▴
Re: some bind8 module questions
|
From: Jamie C. <jca...@we...> - 2002-01-26 09:03:38
|
Frank Altpeter wrote: > > hello! > > I'm planning to use the BIND8 module for giving away access to customers > to their own zone files. > > There are a lot of very good features configurable in that module, but > currently i'm still missing some to make above secure. > > - The option "Restrict zone files to directory" doesn't seem to have any > effect if defined. No, it only effects the creation of new zones. If you have > - It would be nice if one can disable editing of name server (NS) > entries and SOA settings. > These are things that a customer shouldn't change for himself. > > And, as global request... is it possible to set module configuration for > newly created users to the minimum possible rights (e.g. all to "no") ? > I don't see any reason, why a new user should have "can edit module > configuration" on "yes" after creation - could cause security problems > if one does create a new user and does forget to edit the user specific > module configuration. That could be a bit user-unfriendly though, as any new user that you create would not be able to do anything in a new module.. Maybe cloning and group access control could be used to get the same effect. > And, as last feature request for today, one question: > > Is it possible, that a user can be configured to be able to edit all > zone files that are located in one directory? > > For example, i have a dns server with about 40000 domains in it. So i > managed the zone files in different directories depending on the > customer name. > So, i have /named/primary/tchibo as directory where the files for tchibo.de, > tchibo.at, tchibo.ch etc. are located. > Now i want to create a user 'tchibo' that should be able to edit all > zone files located in the mentioned directory, even if there will be > more domains added in the future, but no access to any other files in > any other directory, neither read nor write access. > Currently i thought, that "Restrict zone files to directory" was the > desired option, but as mentioned above, that doesn't seem to work. That sounds like a good feature .. I will add it to the next release of webmin. - Jamie |
