From owner-freebsd-stable@FreeBSD.ORG Wed Dec 4 01:09:24 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 37999600 for ; Wed, 4 Dec 2013 01:09:24 +0000 (UTC) Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EDE2611EE for ; Wed, 4 Dec 2013 01:09:23 +0000 (UTC) Received: by mail-ob0-f179.google.com with SMTP id wm4so15339949obc.38 for ; Tue, 03 Dec 2013 17:09:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hZYUrFxYVZEz4INvUBZop5G1LbYkWf+K62btFyEtaOE=; b=BDl+s/US8PlxSWJODmsLGWXmvpzZOUp/ft1U25BQBuZuFH786uGboIFlVaujncOtVo weI2EDEBbI5+NrJ78DO1WtGmcj0qlWwvR/8iysgTJb2kxuqONyQC05wleNqfbjXUiJob UP1qK5TsGucYw3NNGwfxBwpPvd3+b6RthDMkgfFz1YagBqACXcVMAyP0Siqb7E2vueBn fpxewNjKDlriRlPsB+2zhVuiKBK7hj3ZJSlgIW+D4bWN4o0mThBBNe8A5K2AvTUP5XgK KscHr9HFPHnYgzR5JUEi4dMZzq7/opdQROdBUWaosyGxMwYWC9xd+VyZzDDSIdYCvnXZ i7TA== MIME-Version: 1.0 X-Received: by 10.60.33.74 with SMTP id p10mr61260636oei.18.1386119363219; Tue, 03 Dec 2013 17:09:23 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.76.180.68 with HTTP; Tue, 3 Dec 2013 17:09:23 -0800 (PST) In-Reply-To: <560e9b24248600b4125c8786712d0bf9.authenticated@ultimatedns.net> References: <1386086749.9599.54995173.6CD35E54@webmail.messagingengine.com> <20131203.223612.74719903.sthaug@nethelp.no> <560e9b24248600b4125c8786712d0bf9.authenticated@ultimatedns.net> Date: Tue, 3 Dec 2013 17:09:23 -0800 X-Google-Sender-Auth: doPiQ5JxTF3vCRwgZ275GBFNDLE Message-ID: Subject: Re: BIND chroot environment in 10-RELEASE...gone? From: Kevin Oberman To: Chris H Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-stable@freebsd.org Stable" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 01:09:24 -0000 On Tue, Dec 3, 2013 at 2:10 PM, Chris H wrote: > >> > It was a deliberate decision made by the maintainer. He said the > chroot > >> > code in the installation was too complicated and would be removed as a > >> > part of the installation clean-up to get all BIND related files out of > >> > /usr and /etc. I protested at the time as did someone else, but the > >> > maintainer did not respond. I thnk this was a really, really bad > >> > decision. > >> > > >> > I searched a bit for the thread on removing BIND leftovers, but have > >> > failed to find it. > >> > > >> > >> You're probably thinking about my November 17 posting: > >> > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > >> > >> I'm glad to see others finally speaking up; I was beginning to think I > was > >> the only one who thought this was not a good idea. I'm a bit surprised > >> that no one has responded yet. > > > > I agree with the protesters here. Removing chroot and symlinking logic > > in the ports is a significant disservice to FreeBSD users, and will > > make it harder to use BIND in a sensible way. A net disincentive to > > use FreeBSD :-( > > I strongly disagree. The BIND is still available within FreeBSD for anyone > who chooses to > use/install it. Further, nothing stops anyone who wishes to continue using > the CHROOT(8) > script(s) that provided the BIND with a chroot. Any copy of a FreeBSD-8 > (maybe even 9) > install CD/DVD holds all the "magic" required. It is _easily_ acquired, > and implemented. In > fact, one could easily turn the whole affair into an automated routine. > So. Bottom line; the BIND still remains with FreeBSD, nothing has been > taken away. > The CHROOT(8) scripts are still easily available, and can be implemented, > at will, by > anyone who cares to continue using it. > What's the big deal? > The big deal was that BIND, by default, just installed in a clean chroot environment. It just worked. Now installing BIND from ports imply puts it there with no added protection at all. Since it has long been recommended that BIND either be run chrooted or jailed, this looks like a large step backwards to me. The code was all there. I realize that moving the symlinks around to do the job without polluting the base OS would take some doing, but there is no reason it could not be done or that it should be terribly difficult (said without looking at all of the details). I hate to see regressions and this is clearly a regression. Worse, it was a deliberate one made with a very casual comment that it was just cleaning up the script by eliminating the complicated chroot code. -- R. Kevin Oberman, Network Engineer E-mail: rkoberman@gmail.com