webadmin-devel

some bind8 module questions

[Frank A. <fa...@en...>]

hello!

I'm planning to use the BIND8 module for giving away access to customers
to their own zone files.

There are a lot of very good features configurable in that module, but
currently i'm still missing some to make above secure.

- The option "Restrict zone files to directory" doesn't seem to have any
  effect if defined.
- It would be nice if one can disable editing of name server (NS)
  entries and SOA settings.
  These are things that a customer shouldn't change for himself.

And, as global request... is it possible to set module configuration for
newly created users to the minimum possible rights (e.g. all to "no") ?
I don't see any reason, why a new user should have "can edit module
configuration" on "yes" after creation - could cause security problems
if one does create a new user and does forget to edit the user specific
module configuration.


And, as last feature request for today, one question:

Is it possible, that a user can be configured to be able to edit all
zone files that are located in one directory?

For example, i have a dns server with about 40000 domains in it. So i
managed the zone files in different directories depending on the
customer name.
So, i have /named/primary/tchibo as directory where the files for tchibo.de,
tchibo.at, tchibo.ch etc. are located.
Now i want to create a user 'tchibo' that should be able to edit all
zone files located in the mentioned directory, even if there will be
more domains added in the future, but no access to any other files in
any other directory, neither read nor write access.
Currently i thought, that "Restrict zone files to directory" was the
desired option, but as mentioned above, that doesn't seem to work.

Well, awaiting a lot of useful discussion on that :))


With kind regards,

		Frank Altpeter

-- 
Fry: "Maybe he has a parasite." 
Hermes: "Maybe he is a parasite." 

Re: some bind8 module questions

[Jamie C. <jca...@we...>]

Frank Altpeter wrote:
> 
> hello!
> 
> I'm planning to use the BIND8 module for giving away access to customers
> to their own zone files.
> 
> There are a lot of very good features configurable in that module, but
> currently i'm still missing some to make above secure.
> 
> - The option "Restrict zone files to directory" doesn't seem to have any
>   effect if defined.

No, it only effects the creation of new zones. If you have 

> - It would be nice if one can disable editing of name server (NS)
>   entries and SOA settings.
>   These are things that a customer shouldn't change for himself.
> 
> And, as global request... is it possible to set module configuration for
> newly created users to the minimum possible rights (e.g. all to "no") ?
> I don't see any reason, why a new user should have "can edit module
> configuration" on "yes" after creation - could cause security problems
> if one does create a new user and does forget to edit the user specific
> module configuration.

That could be a bit user-unfriendly though, as any new user that you create
would not be able to do anything in a new module.. Maybe cloning and group
access control could be used to get the same effect.
 
> And, as last feature request for today, one question:
> 
> Is it possible, that a user can be configured to be able to edit all
> zone files that are located in one directory?
> 
> For example, i have a dns server with about 40000 domains in it. So i
> managed the zone files in different directories depending on the
> customer name.
> So, i have /named/primary/tchibo as directory where the files for tchibo.de,
> tchibo.at, tchibo.ch etc. are located.
> Now i want to create a user 'tchibo' that should be able to edit all
> zone files located in the mentioned directory, even if there will be
> more domains added in the future, but no access to any other files in
> any other directory, neither read nor write access.
> Currently i thought, that "Restrict zone files to directory" was the
> desired option, but as mentioned above, that doesn't seem to work.

That sounds like a good feature .. I will add it to the next release of webmin.

 - Jamie