Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Nov 2013 15:27:14 -0600 (CST)
From:      Greg Rivers <gcr@tharned.org>
To:        Erwin Lansing <erwin@FreeBSD.org>
Cc:        FreeBSD Stable <freebsd-stable@freebsd.org>, Stefan Bethke <stb@lassitu.de>, FreeBSD Current <freebsd-current@freebsd.org>, Gleb Smirnoff <glebius@freebsd.org>, FreeBSD Release Engineering Team <re@freebsd.org>, George Kontostanos <gkontos.mail@gmail.com>, =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@freebsd.org>, =?ISO-8859-15?Q?=D6zkan_KIRIK?= <ozkan.kirik@gmail.com>
Subject:   Re: FreeBSD 10 Beta2 /etc/rc.d/named script and /etc/defaults/rc.conf
Message-ID:  <alpine.BSF.2.00.1311171500460.20435@badger.tharned.org>
In-Reply-To: <20131112111322.GV90670@droso.dk>
References:  <CAAcX-AFJ__4CDz7%2BabFoRf%2BecrfOZRFXaos1sYnb85=k_BweEw@mail.gmail.com> <20131103220654.GU52889@FreeBSD.org> <6AA4A8E1-CBCE-4C87-A320-BB08EC76715F@lassitu.de> <CA%2BdUSypfj5Ja%2BKi1tikG19na7Dv96foW3HE%2BTEPaNYOUM9r5Cw@mail.gmail.com> <20131104083443.GZ52889@FreeBSD.org> <2B21E123-23BA-4E07-B9DD-9DE1CDE40D08@FreeBSD.org> <20131104163457.GJ52889@FreeBSD.org> <CA%2BdUSyp5JWskKU7_oMxuTsZekimtRs2A%2BmEZm=kS-87jNjF9yQ@mail.gmail.com> <868B00D6-101A-4B17-995F-A3E2AFE41908@lansing.dk> <20131112111322.GV90670@droso.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Nov 2013, Erwin Lansing wrote:

> Sorry about the delay, but I did finally update all three dns/bind9* 
> ports today.
>

Thanks a lot for your work on this very important port.

> I have dropped the complicated chroot, and related symlinking, logic 
> from the default rc script as I don't think that is the right place to 
> implement things.
>

I am somewhat astonished by this decision.  FreeBSD has been running named 
chrooted for as long as I can remember.  One of the really nice things 
about running BIND on FreeBSD has been that it came perfectly configured 
out of the box.  I think a lot of people are going to be surprised by 
this.

Maybe the rc script is the wrong place to set up the chroot, but shouldn't 
the port at least set it up at install time?  Without this, there is going 
to be a lot of duplicated and error prone effort with everyone setting up 
their own chroot environment.

> I would recommend users who want the extra security to use jail(8) 
> instead of a mere chroot.
>

Is it the consensus that running named chrooted doesn't really add 
additional security?  If a jail is that much better, shouldn't the port 
set up an appropriately configured jail so that we once again have 
everything working out of the box?

Maybe the Capsicum framework will supersede both chroots and jails for 
added BIND security, but until then, shouldn't the chroot feature be 
retained?

-- 
Greg Rivers



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1311171500460.20435>