Date: Wed, 04 Dec 2013 09:59:29 -0800 From: Michael Sinatra <michael@rancid.berkeley.edu> To: Erwin Lansing <erwin@FreeBSD.org> Cc: stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <529F6D81.1010808@rancid.berkeley.edu> In-Reply-To: <20131204095855.GY29825@droso.dk> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/04/13 01:58, Erwin Lansing wrote: > It's not as simple as you describe, trust me I tried :-) Is it not simple because the original chroot environment was wonky or is it not simple because there's a desire to banish all remnants of BIND to /usr/local? It's actually a serious question, as I think the real issue is whether we allow certain ports to install themselves in the filesystem area typically reserved for "base." If so, then the "tier1" ports being described in the other thread can be the ones that can install themselves in the "base area" which ought to make the chroot thing a lot easier. > The one point people in this thread seem to be missing is why BIND > should be treated differently than all the other DNS severs? Maybe because the work to provide a solid chroot environment has already been done. But that also begs the question, why is unbound now being treated differently than all of the other DNS servers? FreeBSD has done a significant amount of work to integrate unbound into base *and* provide default chroot for it. I don't think all that work was done just because we needed a working "host" command in the base. > BIND may > have a bad security reputation back from the 4 and 8 days, but do you > really think that BIND9 is so much more insecure than say NSD or Knot > that it needs special treatment in ports? I don't see why NSD shouldn't have support for chroot, since it's supported by the daemon. In the case of Knot, I don't believe it supports chroot. FWIW, in OpenBSD, unbound and nsd are now in the base, but the "isc-bind" port still installs BIND in the base area with /var/named as the chroot. > Or what about Apache for that > matter? Yep. > If you really think that, a chroot really isn't going to help > you much and what you really want is a jail(8). And I do use jails, including vnet/vimage jails, mainly to separate functions of services running on a box. But there are still benefits to chroot for services running on a system, as it raises the bar and can limit the damage from a vulnerable service. For me, it's more of a way of combating the "unknown unknowns" of Rumsfeld's Razor. But, as has already been pointed out in this thread, the security issues of chroot are only part of the concern here. Part of the reason for the loudness of the complaining is that FreeBSD has now made for a rather messy upgrade path for administrators of authoritative BIND servers (or recursive/validating BIND servers, especially using RPZ, for that matter) to go from 9.x to 10.x. Not only was this not forewarned, we were told back when the decision was made to remove BIND that we could "just use the port." Instead, we have to "just use the port," then move all of our data/log/journal/config/etc files out of the /var/named hierarchy and put it all somewhere in /usr/local/etc, rewrite all of the scripts, checks, and other administrative tools to use the new locations, etc. Sure, if the scripts are written right, it's not a big deal, but it all adds up to extra steps we all have to take--for the purpose of reducing functionality. > What should be done is > to create an easy to do so, but for any port, not just one single port. > I think we have all the tools available, so it is probably just a matter > of writing some good documentation to add to the porters handbook, > though to make it really easy might require some additions to the ports > framework. I am not sure that the available tools apply to vnet jails, but I think that in general, the jail management tools are good. > The way the BIND ports are now is actually in line with all the other > ports in how they start and where the configuration files are. The > chroot code was a relic of history and the slight security benefit it > may have today is far outweighed by the increased complexity and > decreased consistency with the rest of the ports tree, both from a ports > maintainance perspective and from the user perspective. I will be happy > to look into general frameworks to jail any daemon installed from ports, > but will not make exceptions to a handful of ports. Then I assume you disagree with the whole concept of tier1 ports as described in the parallel thread. I still think that the FreeBSD ports for BIND are excellent and you have done a really good and helpful job in maintaining them. I just hate to see a lot of work being done--by all of us--that effectively leaves us worse off. And I understand that we probably have different perspectives on what it means to be "worse off." michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?529F6D81.1010808>