From owner-freebsd-current@FreeBSD.ORG  Wed Oct  6 19:50:51 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7915516A4CE
	for <freebsd-current@freebsd.org>;
	Wed,  6 Oct 2004 19:50:51 +0000 (GMT)
Received: from ford.blinkenlights.nl (ford.blinkenlights.nl [213.204.211.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D8D6743D41
	for <freebsd-current@freebsd.org>;
	Wed,  6 Oct 2004 19:50:50 +0000 (GMT)
	(envelope-from sten@blinkenlights.nl)
Received: from tea.blinkenlights.nl (tea.blinkenlights.nl
	[IPv6:2001:960:301:3:a00:20ff:fe85:fa39])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ford.blinkenlights.nl (Postfix) with ESMTP id 2D00A3E433;
	Wed,  6 Oct 2004 21:50:49 +0200 (CEST)
Received: by tea.blinkenlights.nl (Postfix, from userid 101)
	id A79DC272; Wed,  6 Oct 2004 21:50:48 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by tea.blinkenlights.nl (Postfix) with ESMTP
	id A30B4159; Wed,  6 Oct 2004 21:50:48 +0200 (CEST)
Date: Wed, 6 Oct 2004 21:50:48 +0200 (CEST)
From: Sten Spans <sten@blinkenlights.nl>
To: Tillman Hodgson <tillman@seekingfire.com>
In-Reply-To: <20041006173608.GA58024@seekingfire.com>
Message-ID: <Pine.SOL.4.58-Blink.0410062141451.24963@tea.blinkenlights.nl>
References: <20040928025635.Q5094@ync.qbhto.arg>
	<200409291951.12610.peter@wemm.org>
	<43039.193.35.129.161.1096541075.squirrel@webmail.xtaz.net>
	<20041005170720.M3095@bo.vpnaa.bet>
	<20041006173608.GA58024@seekingfire.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-current@freebsd.org
Subject: Re: HEADS UP: named now runs chroot'ed by default
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2004 19:50:51 -0000

On Wed, 6 Oct 2004, Tillman Hodgson wrote:

> On Tue, Oct 05, 2004 at 05:11:16PM -0700, Doug Barton wrote:
> > On Thu, 30 Sep 2004, Tillman Hodgson wrote:
> >
> > >How does chroot and NFS interact?
> >
<snip>
>
> I can move away from that model easily enough, I just need to actually
> make a plan to do so. If NFS and chroot are unhappy bedfellows, I'll do
> so :-)
>

The only common nfs vs chroot issue one normally encounters
is chroot interacting with root-squashing.
One can only chroot as root, but root squashing will stop
root from entering secure homedirs. Running setuid before chroot
fixes the squashing, but then you can't chroot anymore.

The easy way out is mode 710 and setgid, chroot, setuid.
Linux has setfsuid for this purpose.

That said, I wouldn't normally run nameservers with nfs personally,
I like them widely distributed which kinda clinches with nfs.

-- 
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem