Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Jan 2002 09:06:32 -0500
From:      Joe Abley <>
Cc:        Haikal Saadh <>, stable@FreeBSD.ORG
Subject:   Re: Chrooted bind  out of the box
Message-ID:  <>
In-Reply-To: <>
References:  <000001c195b1$db087880$41c801ca@warhawk> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, Jan 06, 2002 at 11:23:45AM -0800, Crist J. Clark wrote:
> On Sat, Jan 05, 2002 at 10:26:01PM -0500, Joe Abley wrote:
> > On Sat, Jan 05, 2002 at 02:08:46PM -0800, Crist J. Clark wrote:
> > > On Sat, Jan 05, 2002 at 11:26:00AM +0500, Haikal Saadh wrote:
> > > > Is there a reason why bind is run as root by default and not bind.bind?
> > > > And not chrooted?
> > > > 
> > > > If I'm not mistaken almost everyone does this anyway, right?
> > > 
> > > IIRC, the last time it was discussed, it was felt changing this in the
> > > middle of -STABLE would be too disruptive. Many working BIND
> > > installations would break when people updated.
> > 
> > Why not create a named_chroot variable in defaults/rc.conf which
> > is by default set to NO, but which sysinstall can override in
> > /etc/rc.conf with a YES for fresh (non-upgrade) installs?
> /etc/defaults/rc.conf are the defaults. Not everyone makes a new
> system with sysinstall(8), and having sysinstall(8) put new and
> unexpected things in rc.conf is in itself a POLA vilolation.

Sysinstall already installs local overrides in /etc/rc.conf. Obviously
these differ from those in /etc/defaults/rc.conf (or else the entries
would be unnecessary). Nobody said the changes needed to be unexpected.

The fact that not everybody makes a new system with sysinstall was
precisely what led me to suggest that mechanism; that way the modified
named environment is only made active if the installer has specifically
instructed sysinstall to make it so (or has installed specific tweaks
in /etc/rc.conf to make it happen).

> I was talking more about running named(8) as bind:bind. Chrooting has
> other issues, you need to actually build a chroot environment
> somewhere and decide what to put in it, and you still need to run as
> bind:bind for chrooting to be much of a security measure.

I will disagree with your last point...

> But if you really want to be clever, you should run named(8) in a
> jail(8).

... and I would sooner run named in a chroot jail in a standard
way than introduce FreeBSDisms that aren't going to be easily
administered by people more familiar with other platforms.


To Unsubscribe: send mail to
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <>