From owner-freebsd-stable Sun Jan 6 6:27:19 2002 Delivered-To: freebsd-stable@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 590B637B41A for ; Sun, 6 Jan 2002 06:27:16 -0800 (PST) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Sun, 6 Jan 2002 06:27:15 -0800 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: stable@FreeBSD.ORG Date: Sun, 6 Jan 2002 06:27:14 -0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Chrooted bind out of the box Reply-To: pjklist@ekahuna.com Message-ID: <3C37EE42.10148.1C33477@localhost> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Date: Sat, 5 Jan 2002 22:26:01 -0500 > From: Joe Abley > > On Sat, Jan 05, 2002 at 02:08:46PM -0800, Crist J. Clark wrote: > > On Sat, Jan 05, 2002 at 11:26:00AM +0500, Haikal Saadh wrote: > > > Is there a reason why bind is run as root by default and not bind.bind? > > > And not chrooted? > > > > > > If I'm not mistaken almost everyone does this anyway, right? > > > > IIRC, the last time it was discussed, it was felt changing this in the > > middle of -STABLE would be too disruptive. Many working BIND > > installations would break when people updated. > > Why not create a named_chroot variable in defaults/rc.conf which > is by default set to NO, but which sysinstall can override in > /etc/rc.conf with a YES for fresh (non-upgrade) installs? I think such a thing is a fine idea. I went through a lot of anguish getting my chrooted version of Bind9 working. (and I'm even using the -t option, which makes it much easier than the traditional way.) I'm told FreeBSD's 'jail' feature is even more secure than traditional chroot -- would be kind of logical to use that facility if it's going to be pre-configured. One other thing which I guess comes up periodically but I keep wishing for - some pre-built statically compiled version of Bash that could then become root's default shell (ie when booting single-user) would be a great boon. (and which stays current with other library updates etc. The main reasons I don't bother doing it myself are because I know I'd never keep it updated or feel up to re-doing it on each machine I put together.) Apparently there is some problem with bash being incorporated in the base system because it's GPL I think. Nonetheless, I think there might be some creative alternatives - like a port configured to compile statically which installs in /bin. (although you'd have to manually upgrade it periodically to keep it up to date with various libraries I guess) Waitasec.. does this line in /usr/ports/shells/bash2/Makefile mean that by default it's configured to statically-compile? CONFIGURE_ENV= LDFLAGS=-static I didn't think that was the default.. Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message