From owner-freebsd-stable@FreeBSD.ORG Tue Dec 16 09:23:04 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C0F97704 for ; Tue, 16 Dec 2014 09:23:04 +0000 (UTC) Received: from mail.droso.net (koala.droso.dk [213.239.220.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F484A8 for ; Tue, 16 Dec 2014 09:23:03 +0000 (UTC) Received: by mail.droso.net (Postfix, from userid 1001) id DED3B22CAA; Tue, 16 Dec 2014 10:22:59 +0100 (CET) Date: Tue, 16 Dec 2014 10:22:59 +0100 From: Erwin Lansing To: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <20141216092259.GF89148@droso.dk> Mail-Followup-To: freebsd-stable@freebsd.org References: <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD/amd64 9.3-RELEASE-p5 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 09:23:04 -0000 On Mon, Dec 15, 2014 at 10:12:45PM -0800, Kevin Oberman wrote: > > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted and I was very distressed > to see it go from the ports. > While I don't want to get dragged down into this discussion that can go on forever without any consensus, I just want to point out that there is a slight twist to the above description. Due to implementational details, the ports' chroot was actually inside the base system parts of BIND. Removing the one, removed the other. I did try my hand at a reimplentation self-contained in the port, but that proved less trivial than thought and I never reached a satisfactory solution. If anyone want to try their hands at it as well and convince the new port maintainer, please do so, but trust me when I say that. e.g. an ezjail solution, is much easier to set up and maintain than reverting to the old functionality. In they end, I'd rather see a more general solution that can chroot, or jail, an arbitrary daemon from ports rather than special treatment of a single port. If BIND, why not also NSD, unbound, or apache for arguments sake? Erwin -- Erwin Lansing http://droso.dk erwin@FreeBSD.org http:// www.FreeBSD.org