Date: Tue, 8 Sep 2009 18:47:19 -0500 From: Scott Lambert <lambert@lambertfam.org> To: freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail Message-ID: <20090908234719.GC418@sysmon.tcworks.net> In-Reply-To: <4AA6A22B.1070402@FreeBSD.org> References: <ff6efe7e0909011230i414b6791k707f5c58383e9b53@mail.gmail.com> <20090902160440.GA28417@sd-13813.dedibox.fr> <4A9E98AD.1070202@FreeBSD.org> <200909030808.08440.jhb@freebsd.org> <4AA6A22B.1070402@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 08, 2009 at 11:27:55AM -0700, Doug Barton wrote: > John Baldwin wrote: > > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: > >> FLEURIOT Damien wrote: > >> > >>> BIND's now happily running in its jail and responding to public > >>> queries. > >> > >> It's up to you if you choose to do it, but there is no reason to > >> run BIND in a jail. The chroot feature provided by default by > >> rc.d/named is quite adequate security. > > > > That is debatable. One of the chief benefits of a jail is that if > > a server is compromised so that an attacker can gain root access > > that root access is limited in what it can do compared to a simple > > chroot. That is true for any server you would run under a jail, not > > just BIND. > > On a strictly intellectual level I agree that jails are in some > ways more limited than chroots. OTOH, named chroots by default into > /var/named which has no binaries at all. The most "interesting" things > in the chroot environment are /dev/null and /dev/random. Jails by > nature have a more or less complete FreeBSD system available to the > attacker. Also, in addition to being chroot'ed named runs by default > as user 'bind' which is rather limited in what it can modify in the > chroot. > > I realize that it's theoretically possible for an attacker to break > out of a chroot environment, escalate their privileges, etc. I suppose > my point is that if you're looking for things to tighten down on a > FreeBSD system the default named configuration is not the first place > I'd look. :) Some of us are just using a jail per service to make the service more portable between these massively overpowered machines these days. For me, jails are not always just about security. I use them as cheap form of virtualization. The security seperation can be a cheap side effect of the cheap virtualization. This is especially cheap with the help of sysutils/ezjail. I do not currently have named inside a jail. I still have a few P3 boxes in service handling some of the small tasks which I haven't gotten around to rolling up yet. Named inside a chroot inside a jail is not the first thing I would go after, but when I get around to moving it off the old server hardware, why not? :-) -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090908234719.GC418>