Date: Sun, 17 Nov 2013 15:27:14 -0600 (CST) From: Greg Rivers <gcr@tharned.org> To: Erwin Lansing <erwin@FreeBSD.org> Cc: FreeBSD Stable <freebsd-stable@freebsd.org>, Stefan Bethke <stb@lassitu.de>, FreeBSD Current <freebsd-current@freebsd.org>, Gleb Smirnoff <glebius@freebsd.org>, FreeBSD Release Engineering Team <re@freebsd.org>, George Kontostanos <gkontos.mail@gmail.com>, =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@freebsd.org>, =?ISO-8859-15?Q?=D6zkan_KIRIK?= <ozkan.kirik@gmail.com> Subject: Re: FreeBSD 10 Beta2 /etc/rc.d/named script and /etc/defaults/rc.conf Message-ID: <alpine.BSF.2.00.1311171500460.20435@badger.tharned.org> In-Reply-To: <20131112111322.GV90670@droso.dk> References: <CAAcX-AFJ__4CDz7%2BabFoRf%2BecrfOZRFXaos1sYnb85=k_BweEw@mail.gmail.com> <20131103220654.GU52889@FreeBSD.org> <6AA4A8E1-CBCE-4C87-A320-BB08EC76715F@lassitu.de> <CA%2BdUSypfj5Ja%2BKi1tikG19na7Dv96foW3HE%2BTEPaNYOUM9r5Cw@mail.gmail.com> <20131104083443.GZ52889@FreeBSD.org> <2B21E123-23BA-4E07-B9DD-9DE1CDE40D08@FreeBSD.org> <20131104163457.GJ52889@FreeBSD.org> <CA%2BdUSyp5JWskKU7_oMxuTsZekimtRs2A%2BmEZm=kS-87jNjF9yQ@mail.gmail.com> <868B00D6-101A-4B17-995F-A3E2AFE41908@lansing.dk> <20131112111322.GV90670@droso.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Nov 2013, Erwin Lansing wrote: > Sorry about the delay, but I did finally update all three dns/bind9* > ports today. > Thanks a lot for your work on this very important port. > I have dropped the complicated chroot, and related symlinking, logic > from the default rc script as I don't think that is the right place to > implement things. > I am somewhat astonished by this decision. FreeBSD has been running named chrooted for as long as I can remember. One of the really nice things about running BIND on FreeBSD has been that it came perfectly configured out of the box. I think a lot of people are going to be surprised by this. Maybe the rc script is the wrong place to set up the chroot, but shouldn't the port at least set it up at install time? Without this, there is going to be a lot of duplicated and error prone effort with everyone setting up their own chroot environment. > I would recommend users who want the extra security to use jail(8) > instead of a mere chroot. > Is it the consensus that running named chrooted doesn't really add additional security? If a jail is that much better, shouldn't the port set up an appropriately configured jail so that we once again have everything working out of the box? Maybe the Capsicum framework will supersede both chroots and jails for added BIND security, but until then, shouldn't the chroot feature be retained? -- Greg Rivers
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1311171500460.20435>