From owner-freebsd-current@FreeBSD.ORG Thu Sep 30 10:34:20 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC99F16A4CE for ; Thu, 30 Sep 2004 10:34:20 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id C14ED43D2D for ; Thu, 30 Sep 2004 10:34:20 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32]) by comcast.net (rwcrmhc11) with SMTP id <20040930103420013000kvl2e>; Thu, 30 Sep 2004 10:34:20 +0000 Date: Thu, 30 Sep 2004 03:34:19 -0700 (PDT) From: Doug Barton To: Peter Wemm In-Reply-To: <200409291951.12610.peter@wemm.org> Message-ID: <20040930033351.M57326@ync.qbhto.arg> References: <20040928025635.Q5094@ync.qbhto.arg> <200409291951.12610.peter@wemm.org> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-current@freebsd.org Subject: Re: HEADS UP: named now runs chroot'ed by default X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Sep 2004 10:34:21 -0000 Peter Wemm wrote: > On Tuesday 28 September 2004 03:03 am, Doug Barton wrote: > > >>I just committed a named "auto-chroot" system that will allow named >>to run chroot'ed by default. If you have an existing named >>configuration in /etc/namedb, the instructions for updating it are in >>src/UPDATING. If you are already chroot'ing named, especially if you >>are using /var/named as the chroot directory, you should back >>everything up before upgrading and proceed with caution. :) >> >>For those that don't have a named configuration, all you should have >>to do is 'rm -r /etc/namedb' and you'll be fine. >> >>Comments and suggestions are welcome, but please try to keep the >>bikeshedding about specific bits down to an absolute minimum. The >>directory structure and related options worked very well on hundreds >>of name servers on a very busy enterprise network, so I have a high >>degree of confidence that the defaults are sensible. That said, I am >>open to genuine improvements, and dialogue on optional bits. > > > Mergemaster hasn't been made aware of this. mergemaster tries very hard not to grow special knowledge about any files or directories, it relies on src/etc/Makefile. > It unconditionally installs > the named stuff in /var/named/etc/namedb You probably have the -a option enabled somewhere, perhaps in a mergemaster.rc file? Otherwise mm never takes any action by default. > even when you've explicitly turned the chroot stuff off. "Turning the chroot stuff off" is an rc.d option, not a make.conf option. If it's really necessary I suppose I could put some work into making the install path optional, but whether you chroot or not, putting the named stuff in /var is "better" for most any definition of better. > How are we supposed to get the old behavior back? Well, after following the instructions in UPDATING you could have all your old files in /var/named/etc/namedb, and /etc/namedb will then be a symlink to /var/named/etc/namedb. If you choose to disable chrooting in rc.conf, you should have exactly the same old behavior, the only difference is that your files will be in /var. This is one of the reasons I chose to implement things the way I did. You could also choose not to delete the /etc/namedb directory, and just use your old files (without chrooting of course). If you want to do this, you might also want to add 'NO_BIND_ETC= true' to your make.conf. I don't recommend this of course, but it is possible to do it this way. IMO, once you get your files transferred over, you'll never even notice that you're running chrooted, and it is a significant security benefit. > This sucks. :-( Thank you for your kind words. :) Doug -- This .signature sanitized for your protection