Date: Tue, 08 Sep 2009 11:27:55 -0700 From: Doug Barton <dougb@FreeBSD.org> To: John Baldwin <jhb@freebsd.org> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, FLEURIOT Damien <ml@my.gd>, freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail Message-ID: <4AA6A22B.1070402@FreeBSD.org> In-Reply-To: <200909030808.08440.jhb@freebsd.org> References: <ff6efe7e0909011230i414b6791k707f5c58383e9b53@mail.gmail.com> <20090902160440.GA28417@sd-13813.dedibox.fr> <4A9E98AD.1070202@FreeBSD.org> <200909030808.08440.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote: > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: >> FLEURIOT Damien wrote: >> >>> BIND's now happily running in its jail and responding to public >>> queries. >> It's up to you if you choose to do it, but there is no reason to run >> BIND in a jail. The chroot feature provided by default by rc.d/named >> is quite adequate security. > > That is debatable. One of the chief benefits of a jail is that if a server is > compromised so that an attacker can gain root access that root access is > limited in what it can do compared to a simple chroot. That is true for any > server you would run under a jail, not just BIND. On a strictly intellectual level I agree that jails are in some ways more limited than chroots. OTOH, named chroots by default into /var/named which has no binaries at all. The most "interesting" things in the chroot environment are /dev/null and /dev/random. Jails by nature have a more or less complete FreeBSD system available to the attacker. Also, in addition to being chroot'ed named runs by default as user 'bind' which is rather limited in what it can modify in the chroot. I realize that it's theoretically possible for an attacker to break out of a chroot environment, escalate their privileges, etc. I suppose my point is that if you're looking for things to tighten down on a FreeBSD system the default named configuration is not the first place I'd look. :) Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AA6A22B.1070402>