From owner-freebsd-stable@FreeBSD.ORG Wed Sep 9 00:08:10 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0EB1106566C for ; Wed, 9 Sep 2009 00:08:10 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from sysmon.tcworks.net (sysmon.tcworks.net [65.66.76.4]) by mx1.freebsd.org (Postfix) with ESMTP id 73E6B8FC15 for ; Wed, 9 Sep 2009 00:08:10 +0000 (UTC) Received: from sysmon.tcworks.net (localhost [127.0.0.1]) by sysmon.tcworks.net (8.13.1/8.13.1) with ESMTP id n88NlJan034971 for ; Tue, 8 Sep 2009 18:47:19 -0500 (CDT) (envelope-from lambert@lambertfam.org) Received: (from lambert@localhost) by sysmon.tcworks.net (8.13.1/8.13.1/Submit) id n88NlJii034970 for freebsd-stable@freebsd.org; Tue, 8 Sep 2009 18:47:19 -0500 (CDT) (envelope-from lambert@lambertfam.org) X-Authentication-Warning: sysmon.tcworks.net: lambert set sender to lambert@lambertfam.org using -f Date: Tue, 8 Sep 2009 18:47:19 -0500 From: Scott Lambert To: freebsd-stable@freebsd.org Message-ID: <20090908234719.GC418@sysmon.tcworks.net> Mail-Followup-To: freebsd-stable@freebsd.org References: <20090902160440.GA28417@sd-13813.dedibox.fr> <4A9E98AD.1070202@FreeBSD.org> <200909030808.08440.jhb@freebsd.org> <4AA6A22B.1070402@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4AA6A22B.1070402@FreeBSD.org> User-Agent: Mutt/1.4.2.2i Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2009 00:08:10 -0000 On Tue, Sep 08, 2009 at 11:27:55AM -0700, Doug Barton wrote: > John Baldwin wrote: > > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: > >> FLEURIOT Damien wrote: > >> > >>> BIND's now happily running in its jail and responding to public > >>> queries. > >> > >> It's up to you if you choose to do it, but there is no reason to > >> run BIND in a jail. The chroot feature provided by default by > >> rc.d/named is quite adequate security. > > > > That is debatable. One of the chief benefits of a jail is that if > > a server is compromised so that an attacker can gain root access > > that root access is limited in what it can do compared to a simple > > chroot. That is true for any server you would run under a jail, not > > just BIND. > > On a strictly intellectual level I agree that jails are in some > ways more limited than chroots. OTOH, named chroots by default into > /var/named which has no binaries at all. The most "interesting" things > in the chroot environment are /dev/null and /dev/random. Jails by > nature have a more or less complete FreeBSD system available to the > attacker. Also, in addition to being chroot'ed named runs by default > as user 'bind' which is rather limited in what it can modify in the > chroot. > > I realize that it's theoretically possible for an attacker to break > out of a chroot environment, escalate their privileges, etc. I suppose > my point is that if you're looking for things to tighten down on a > FreeBSD system the default named configuration is not the first place > I'd look. :) Some of us are just using a jail per service to make the service more portable between these massively overpowered machines these days. For me, jails are not always just about security. I use them as cheap form of virtualization. The security seperation can be a cheap side effect of the cheap virtualization. This is especially cheap with the help of sysutils/ezjail. I do not currently have named inside a jail. I still have a few P3 boxes in service handling some of the small tasks which I haven't gotten around to rolling up yet. Named inside a chroot inside a jail is not the first thing I would go after, but when I get around to moving it off the old server hardware, why not? :-) -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org