From owner-freebsd-ports@FreeBSD.ORG Fri Aug 27 19:34:06 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1368216A4CE for ; Fri, 27 Aug 2004 19:34:06 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEA4F43D2D for ; Fri, 27 Aug 2004 19:34:05 +0000 (GMT) (envelope-from mdf@foster.cc) Received: from riddler.dyndns.org ([24.17.74.216]) by comcast.net (rwcrmhc12) with ESMTP id <20040827193405014007vaune>; Fri, 27 Aug 2004 19:34:05 +0000 Received: from mdf by riddler.dyndns.org with local (Exim 4.34 #0) id 1C0mU7-0002v0-MW for ports@freebsd.org; Fri, 27 Aug 2004 12:34:03 -0700 Date: Fri, 27 Aug 2004 12:34:03 -0700 From: Mark Foster To: ports@freebsd.org Message-ID: <20040827193403.GD11124@riddler.dyndns.org> References: <389B57D2-F815-11D8-81CD-00039357DA00@ifom-ieo-campus.it> <802707E1-F826-11D8-AC6A-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KdquIMZPjGJQvRdI" Content-Disposition: inline In-Reply-To: <802707E1-F826-11D8-AC6A-00039312D914@fillmore-labs.com> User-Agent: Mutt/1.4.2.1i Sender: Mark Foster Subject: Re: Ports and jails X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 19:34:06 -0000 --KdquIMZPjGJQvRdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 27, 2004 at 02:42:04PM +0200, Oliver Eikemeier wrote: > Alessandro Dellavedova wrote: >=20 > >In our infrastructure we use some daemons (bind, dhcp, openldap) that = =20 > >must run into a jail for security reasons.. do you think that having a = =20 > >keyword JAILED=3DYES in the Makefiles of ports would be useful ? >=20 > openldap could be run without opening a TCP/IP socket (by using UNIX=20 > domain sockets), bind chrooted as a non-priviledged user and dhcpd often= =20 > needs to listen to more than one interface (and not to externally=20 > reachable ones), so a jail is not always a "must". >=20 > >Something like make install PREFIX=3D/path/to/jail JAILED=3DYES will be = =20 > >difficult to implement ? >=20 > jails are complete subsystems, so you could either compile the port=20 > inside the jail, or use a package building system and install it by=20 > pkg_add(1). Installing from a port into a jail is not really supported,= =20 > and I don't see any necessity to do so. >=20 I'll bet he meant chroot() like bind9 takes with -t --=20 Some days it's just not worth chewing through the restraints... Mark D. Foster, CISSP http://mark.foster.cc/ --KdquIMZPjGJQvRdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBL4yrsP1x4ZySqYcRArPCAKDD3suM/rHI2VwxFWijrJhgvqsgUgCgjIQ8 fd3PyDzHJBZYG0nPrLdTfAk= =eatb -----END PGP SIGNATURE----- --KdquIMZPjGJQvRdI--