Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Sep 2024 09:56:23 -0400
From:      Ryan Steinmetz <zi@freebsd.org>
To:        Andrea Venturoli <ml@netfence.it>
Cc:        ports@freebsd.org
Subject:   Re: rbldnsd does not start in a jail
Message-ID:  <Zu1_B13ehCVEJO8S@exodus.zi0r.com>
In-Reply-To: <68c5efba-addb-4d25-9650-498b52e39b1b@netfence.it>
References:  <68c5efba-addb-4d25-9650-498b52e39b1b@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help 

On (09/20/24 11:11), Andrea Venturoli wrote:
>Hello.
>
>I'm running rbldnsd in a jail since a long time.
>Lately it fails to start:
>>service rbldnsd start
>>Starting rbldnsd.
>>rbldnsd: listening on 127.0.2.1/10053
>>rbldnsd: unable to chroot to /usr/local/etc/rbldnsd: Operation not permitted
>>/usr/local/etc/rc.d/rbldnsd: WARNING: failed to start rbldnsd
>

This is probably something specific to your environment, as it works in 
a fresh jail on a 14.1-RELEASE system:

root@141R-test:~ # freebsd-version
14.1-RELEASE-p5
root@141R-test:~ # sysctl security.jail.jailed
security.jail.jailed: 1
root@141R-test:~ # ps auxw|grep rbl
rbldns 39967  0.0  0.0 12932 2624  -  SsJ  13:47   0:00.00 /usr/local/sbin/rbldnsd -p /var/run/rbldnsd.pid -r /usr/local/etc/rbldnsd -w / -b 127.0.0.1/5353 bl.example.com:ip4set:example

As a starting point, I would look for defaults you have modified in:
- security.jail sysctls
- security.mac sysctls
- *chroot* sysctls
- kern.securelevel
- security.jail.param.securelevel
- Filesystem permissions in the new root dir (and its parent 
   directories)


>I had to change "-r" to "-w" in rc.conf's rbldnsd_flags in order to 
>disable chrooting.
>
>I'm not sure if this started since I upgraded from 14.0 to 14.1; looks 
>like rbldnsd itself didn't change recently...
>
>Any comment?
>Was chroot in a jail disabled recently? Is some additional setting 
>needed for 14.1? I didn't find anything in the release notes.
>Perhaps it does not make much sense to chroot in a jail?
>Is this a bug worth reporting?
>

chrooting in a jail is fine and can certainly make sense, especially if 
the jail is not 100% dedicated to rbldnsd.

-r

> bye & Thanks
>	av.

-- 
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228  EDC6 1EF8 BA6B D028 46D7

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Zu1_B13ehCVEJO8S>