From owner-freebsd-jail@FreeBSD.ORG Mon Sep 7 11:07:03 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 274B51065672 for ; Mon, 7 Sep 2009 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 156988FC1D for ; Mon, 7 Sep 2009 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n87B72Ir010288 for ; Mon, 7 Sep 2009 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n87B72B0010284 for freebsd-jail@FreeBSD.org; Mon, 7 Sep 2009 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Sep 2009 11:07:02 GMT Message-Id: <200909071107.n87B72B0010284@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2009 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 8 18:27:57 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B7591065679 for ; Tue, 8 Sep 2009 18:27:57 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 2E8B68FC1D for ; Tue, 8 Sep 2009 18:27:56 +0000 (UTC) Received: (qmail 3785 invoked by uid 399); 8 Sep 2009 18:27:55 -0000 Received: from localhost (HELO ?10.9.1.128?) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 8 Sep 2009 18:27:55 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4AA6A22B.1070402@FreeBSD.org> Date: Tue, 08 Sep 2009 11:27:55 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: John Baldwin References: <20090902160440.GA28417@sd-13813.dedibox.fr> <4A9E98AD.1070202@FreeBSD.org> <200909030808.08440.jhb@freebsd.org> In-Reply-To: <200909030808.08440.jhb@freebsd.org> X-Enigmail-Version: 0.96.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , FLEURIOT Damien , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2009 18:27:57 -0000 John Baldwin wrote: > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: >> FLEURIOT Damien wrote: >> >>> BIND's now happily running in its jail and responding to public >>> queries. >> It's up to you if you choose to do it, but there is no reason to run >> BIND in a jail. The chroot feature provided by default by rc.d/named >> is quite adequate security. > > That is debatable. One of the chief benefits of a jail is that if a server is > compromised so that an attacker can gain root access that root access is > limited in what it can do compared to a simple chroot. That is true for any > server you would run under a jail, not just BIND. On a strictly intellectual level I agree that jails are in some ways more limited than chroots. OTOH, named chroots by default into /var/named which has no binaries at all. The most "interesting" things in the chroot environment are /dev/null and /dev/random. Jails by nature have a more or less complete FreeBSD system available to the attacker. Also, in addition to being chroot'ed named runs by default as user 'bind' which is rather limited in what it can modify in the chroot. I realize that it's theoretically possible for an attacker to break out of a chroot environment, escalate their privileges, etc. I suppose my point is that if you're looking for things to tighten down on a FreeBSD system the default named configuration is not the first place I'd look. :) Doug