From owner-freebsd-questions  Mon Aug 20  2:17: 0 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from shaft.techsupport.co.uk (shaft.techsupport.co.uk [212.250.77.214])
	by hub.freebsd.org (Postfix) with ESMTP id AD3CB37B409
	for <questions@freebsd.org>; Mon, 20 Aug 2001 02:16:54 -0700 (PDT)
	(envelope-from rasputin@shaft.techsupport.co.uk)
Received: from rasputin by shaft.techsupport.co.uk with local (Exim 3.22 #1)
	id 15YlEY-0004Nd-00
	for questions@freebsd.org; Mon, 20 Aug 2001 10:20:34 +0100
Date: Mon, 20 Aug 2001 10:20:34 +0100
From: Rasputin <rara.rasputin@virgin.net>
To: questions@freebsd.org
Subject: RE: chroot'ing named
Message-ID: <20010820102034.A16814@shaft.techsupport.co.uk>
Reply-To: Rasputin <rara.rasputin@virgin.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> ted
>> setantae

>>Are you saying that an extra layer of security is pointless, so chroot'ing
>>named _should_ be hard ?

>Shall I turn the question on it's head and throw it right back to you:  Are
>you saying that the extra layer of security is a requirement so the admin can
>be lazy and never bother applying security patches?

How does extra securtiy equate to laziness?
Admin A has installed 2 levels of security; admin B has installed none.
Is admin A lazier than admin B??

> If the DNS goes away then the
> entire network is junk.  By contrast failure of any other single server
> won't take the network with it.

Then surely to $DEITY that's a good reason for having security steps for
securing this actually work.

If the Handbook steps don't work, the Handbook needs fixing.
If a jail is a better solution, then a jail should be suggested in the Handbook.

Setantae has offered to do these, which is great. Personally I'd have raised
this on the security list, or possibly doc, but I think they're valid points.

And if a jail can be made easier, and we already have a fix (borrowed from
OpenBSD) what's wrong with that? Sheesh.


-- 
Stult's Report:
	Our problems are mostly behind us.  What we have to do now is
fight the solutions.
Rasputin :: Jack of All Trades - Master of Nuns ::

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message