Date: Sun, 6 Jan 2002 06:27:14 -0800 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: stable@FreeBSD.ORG Subject: Chrooted bind out of the box Message-ID: <3C37EE42.10148.1C33477@localhost> In-Reply-To: <bulk.39085.20020105235149@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Sat, 5 Jan 2002 22:26:01 -0500 > From: Joe Abley <jabley@automagic.org> > > On Sat, Jan 05, 2002 at 02:08:46PM -0800, Crist J. Clark wrote: > > On Sat, Jan 05, 2002 at 11:26:00AM +0500, Haikal Saadh wrote: > > > Is there a reason why bind is run as root by default and not bind.bind? > > > And not chrooted? > > > > > > If I'm not mistaken almost everyone does this anyway, right? > > > > IIRC, the last time it was discussed, it was felt changing this in the > > middle of -STABLE would be too disruptive. Many working BIND > > installations would break when people updated. > > Why not create a named_chroot variable in defaults/rc.conf which > is by default set to NO, but which sysinstall can override in > /etc/rc.conf with a YES for fresh (non-upgrade) installs? I think such a thing is a fine idea. I went through a lot of anguish getting my chrooted version of Bind9 working. (and I'm even using the -t option, which makes it much easier than the traditional way.) I'm told FreeBSD's 'jail' feature is even more secure than traditional chroot -- would be kind of logical to use that facility if it's going to be pre-configured. One other thing which I guess comes up periodically but I keep wishing for - some pre-built statically compiled version of Bash that could then become root's default shell (ie when booting single-user) would be a great boon. (and which stays current with other library updates etc. The main reasons I don't bother doing it myself are because I know I'd never keep it updated or feel up to re-doing it on each machine I put together.) Apparently there is some problem with bash being incorporated in the base system because it's GPL I think. Nonetheless, I think there might be some creative alternatives - like a port configured to compile statically which installs in /bin. (although you'd have to manually upgrade it periodically to keep it up to date with various libraries I guess) Waitasec.. does this line in /usr/ports/shells/bash2/Makefile mean that by default it's configured to statically-compile? CONFIGURE_ENV= LDFLAGS=-static I didn't think that was the default.. Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C37EE42.10148.1C33477>