Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Jan 2002 14:29:19 -0800
From:      "Philip J. Koenig" <pjklist@ekahuna.com>
To:        stable@FreeBSD.ORG
Subject:   Re: Chrooted bind  out of the box
Message-ID:  <3C39B0BF.16048.341530@localhost>
In-Reply-To: <bulk.43744.20020106165900@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Sun, 6 Jan 2002 11:23:45 -0800
> From: "Crist J. Clark" <cristjc@earthlink.net>
> 
> On Sat, Jan 05, 2002 at 10:26:01PM -0500, Joe Abley wrote:
> > Why not create a named_chroot variable in defaults/rc.conf which
> > is by default set to NO, but which sysinstall can override in
> > /etc/rc.conf with a YES for fresh (non-upgrade) installs?
> 
> /etc/defaults/rc.conf are the defaults. Not everyone makes a new
> system with sysinstall(8), and having sysinstall(8) put new and
> unexpected things in rc.conf is in itself a POLA vilolation.


Not sure what you mean.  Sysinstall makes lots of changes in 
/etc/rc.conf during install.  I think Joe was simply suggesting a new 
parameter in /etc/defaults/rc.conf which sysinstall can adjust during 
install-time just like it modifies things like IP address or whether 
or not the machine will run bind at boot or not.

 
> I was talking more about running named(8) as bind:bind. Chrooting has
> other issues, you need to actually build a chroot environment
> somewhere and decide what to put in it, and you still need to run as
> bind:bind for chrooting to be much of a security measure.


Seems to me that creating a standard location and environment for 
chrooted (or jail'ed) apps would be helpful.  Most particularly 
because the required device files and libraries would be there, and 
would be updated along with the ones which the rest of the system 
uses.

If people want to run it the way they always have, it wouldn't impact 
them.  Just don't use the new "bind_chroot=  YES" parameter in 
/etc/rc.conf, or whatever it ended up being called.

 
Phil



--
Philip J. Koenig                                       pjklist@ekahuna.com
Electric Kahuna Systems -- Computers & Communications for the New Millenium


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C39B0BF.16048.341530>