Date: Wed, 04 Dec 2013 07:26:08 -0600 From: Mark Felder <feld@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <1386163568.17887.55404277.525D580D@webmail.messagingengine.com> In-Reply-To: <20131204095855.GY29825@droso.dk> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 4, 2013, at 3:58, Erwin Lansing wrote: > On Tue, Dec 03, 2013 at 12:56:37AM -0800, Michael Sinatra wrote: > > I am aware of the fact that unbound has "replaced" BIND in the base > > system, starting with 10.0-RELEASE. What surprised me was recent > > commits to ports/dns/bind99 (and presumably other versions) that appears > > to take away the supported chroot capabilities. OTOH, it appears that > > unbound has been given these capabilities. > > > > I have no issues with removing BIND from base, but taking away the very > > robust chroot support that FreeBSD had for BIND is something I would > > oppose. I like the idea of leveling the playing field for users of > > other systems, but the way things have been implemented thus far--taking > > away functionality from BIND while preferring unbound--seems > > counter-productive. It doesn't really level the playing field, it just > > turns it the other way. > > > > It seems like it would be pretty easy to preserve the /etc/rc.d/named > > startup script and BIND.chroot.dist from 9.x and add them to the BIND > > ports, so that people who need to run a full-blown BIND installation can > > "just install the port" as was advised back in 2012 when the > > BIND/unbound change was first being discussed on -hackers. What are the > > obstacles to doing something like this? > > > > It's not as simple as you describe, trust me I tried :-) > > The one point people in this thread seem to be missing is why BIND > should be treated differently than all the other DNS severs? BIND may > have a bad security reputation back from the 4 and 8 days, but do you > really think that BIND9 is so much more insecure than say NSD or Knot > that it needs special treatment in ports? Or what about Apache for that > matter? If you really think that, a chroot really isn't going to help > you much and what you really want is a jail(8). What should be done is > to create an easy to do so, but for any port, not just one single port. > I think we have all the tools available, so it is probably just a matter > of writing some good documentation to add to the porters handbook, > though to make it really easy might require some additions to the ports > framework. > This morning I was actually thinking about the true value of the chroot. Breaking out of a chroot is not an impossible task; there have been many PoCs over the years. Breaking out of a jail is a different and intentionally more difficult matter. If this is a stance the project has we should probably make it a bit clearer and provide some configuration and documentation reinforcing "chroots aren't safe; use a jail".
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1386163568.17887.55404277.525D580D>