From owner-freebsd-current@FreeBSD.ORG Tue Oct 5 03:39:43 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF5DE16A4CE for ; Tue, 5 Oct 2004 03:39:43 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7B0443D31 for ; Tue, 5 Oct 2004 03:39:43 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i953dh5U002429; Mon, 4 Oct 2004 20:39:43 -0700 (PDT) Received: from [192.168.1.6] (pool-68-160-246-51.ny325.east.verizon.net [68.160.246.51]) (authenticated bits=0)i953dcCL014704; Mon, 4 Oct 2004 20:39:42 -0700 (PDT) In-Reply-To: <20041005114834Y.matusita@jp.FreeBSD.org> References: <200410041734.53316.freebsd@redesjm.local> <200410042343.19211.freebsd@redesjm.local> <20041004181933.H96420@bo.vpnaa.bet> <20041005114834Y.matusita@jp.FreeBSD.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <2EC1F982-1680-11D9-B1D0-003065A20588@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 4 Oct 2004 23:39:38 -0400 To: Makoto Matsushita X-Mailer: Apple Mail (2.619) cc: freebsd-current@freebsd.org Subject: Re: New BIND 9 chroot directories X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 03:39:43 -0000 On Oct 4, 2004, at 10:48 PM, Makoto Matsushita wrote: > [ ...hier compliance... ] Yes, the named configuration file (I > believe it is considered generally as important), master zone files > (also important, at least for me), are located under "/var." > > So here's my question to all "running named with chroot sandobx" > users: are you ok with such important file is under /var? You raise a point that is worth considering. FWIW, I was running nameservers with the config file at /etc/named.conf before the ability to chroot() was available. However, the point can be answered in that it is entirely reasonable to have something like: named_enable="YES" named_flags="-u bind -g bind -c /etc/named.conf" ...in /etc/rc.conf and then do whatever you like under /var/named. Some people want all of the zone files in one place, others want to use s/ and /m (or slave/ and master/). Zone file naming conventions also vary: some append .rev and .db to zone files, some use just the former and not the latter; etc. So long as the options support reasonable flexibility and do not break backwards compatibility too much, any reasonable default is OK, and Doug as maintainer is making a reasonable attempt to improve the security of a daemon that many FreeBSD systems use. Yay! I suppose the situation could be improved by having some shell script which converts pre-chrooted named configs (at least the prior default config from 4.x) into the new layout, perhaps by creating symlinks from the current locations into the chroot tree under /var/named. Would something like that help address your concerns? -- -Chuck