Date: Tue, 16 Dec 2014 10:22:59 +0100 From: Erwin Lansing <erwin@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <20141216092259.GF89148@droso.dk> In-Reply-To: <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <e209e27f9eb42850326f5a4df458722b@ultimatedns.net> <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 15, 2014 at 10:12:45PM -0800, Kevin Oberman wrote: > > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted and I was very distressed > to see it go from the ports. > While I don't want to get dragged down into this discussion that can go on forever without any consensus, I just want to point out that there is a slight twist to the above description. Due to implementational details, the ports' chroot was actually inside the base system parts of BIND. Removing the one, removed the other. I did try my hand at a reimplentation self-contained in the port, but that proved less trivial than thought and I never reached a satisfactory solution. If anyone want to try their hands at it as well and convince the new port maintainer, please do so, but trust me when I say that. e.g. an ezjail solution, is much easier to set up and maintain than reverting to the old functionality. In they end, I'd rather see a more general solution that can chroot, or jail, an arbitrary daemon from ports rather than special treatment of a single port. If BIND, why not also NSD, unbound, or apache for arguments sake? Erwin -- Erwin Lansing http://droso.dk erwin@FreeBSD.org http:// www.FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141216092259.GF89148>