From owner-freebsd-stable@FreeBSD.ORG Wed Dec 4 13:26:10 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F5D020F for ; Wed, 4 Dec 2013 13:26:10 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 486F71076 for ; Wed, 4 Dec 2013 13:26:10 +0000 (UTC) Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id EA600215F5 for ; Wed, 4 Dec 2013 08:26:08 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Wed, 04 Dec 2013 08:26:08 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=h13Kp4kcHrxcLvronP+cdzpnpGo=; b=sMj t/fw/R/R6MkgJP0o+4FQrZOTY2plzPWsknS4uo2tt+kXbk2RgFbbjIn2WOfkSI4C lt/nTRXsE8Ui2hGYt/3mZzj0hNahGlhdFMoZ25nDT37FltkcG+445+6d1wVOoBGE sha0aqlReXLmHfouMvqu1YNHe0xar0bwsJBlWVTc= Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99) id CEFF510282C; Wed, 4 Dec 2013 08:26:08 -0500 (EST) Message-Id: <1386163568.17887.55404277.525D580D@webmail.messagingengine.com> X-Sasl-Enc: mjwWh9X1NgSpZEojwofjBjf6eZcvYbrxeX/m9wHCJxW5 1386163568 From: Mark Felder To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-c99dcdd8 In-Reply-To: <20131204095855.GY29825@droso.dk> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Date: Wed, 04 Dec 2013 07:26:08 -0600 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 13:26:10 -0000 On Wed, Dec 4, 2013, at 3:58, Erwin Lansing wrote: > On Tue, Dec 03, 2013 at 12:56:37AM -0800, Michael Sinatra wrote: > > I am aware of the fact that unbound has "replaced" BIND in the base > > system, starting with 10.0-RELEASE. What surprised me was recent > > commits to ports/dns/bind99 (and presumably other versions) that appears > > to take away the supported chroot capabilities. OTOH, it appears that > > unbound has been given these capabilities. > > > > I have no issues with removing BIND from base, but taking away the very > > robust chroot support that FreeBSD had for BIND is something I would > > oppose. I like the idea of leveling the playing field for users of > > other systems, but the way things have been implemented thus far--taking > > away functionality from BIND while preferring unbound--seems > > counter-productive. It doesn't really level the playing field, it just > > turns it the other way. > > > > It seems like it would be pretty easy to preserve the /etc/rc.d/named > > startup script and BIND.chroot.dist from 9.x and add them to the BIND > > ports, so that people who need to run a full-blown BIND installation can > > "just install the port" as was advised back in 2012 when the > > BIND/unbound change was first being discussed on -hackers. What are the > > obstacles to doing something like this? > > > > It's not as simple as you describe, trust me I tried :-) > > The one point people in this thread seem to be missing is why BIND > should be treated differently than all the other DNS severs? BIND may > have a bad security reputation back from the 4 and 8 days, but do you > really think that BIND9 is so much more insecure than say NSD or Knot > that it needs special treatment in ports? Or what about Apache for that > matter? If you really think that, a chroot really isn't going to help > you much and what you really want is a jail(8). What should be done is > to create an easy to do so, but for any port, not just one single port. > I think we have all the tools available, so it is probably just a matter > of writing some good documentation to add to the porters handbook, > though to make it really easy might require some additions to the ports > framework. > This morning I was actually thinking about the true value of the chroot. Breaking out of a chroot is not an impossible task; there have been many PoCs over the years. Breaking out of a jail is a different and intentionally more difficult matter. If this is a stance the project has we should probably make it a bit clearer and provide some configuration and documentation reinforcing "chroots aren't safe; use a jail".