From nobody Fri Sep 20 13:56:23 2024 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X9DSp1Qrpz5XJ5d for ; Fri, 20 Sep 2024 13:56:26 +0000 (UTC) (envelope-from zi@freebsd.org) Received: from exodus.zi0r.com (exodus.zi0r.com [71.179.14.195]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "exodus.zi0r.com", Issuer "Gandi RSA Domain Validation Secure Server CA 3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X9DSn4v25z47WQ; Fri, 20 Sep 2024 13:56:25 +0000 (UTC) (envelope-from zi@freebsd.org) Authentication-Results: mx1.freebsd.org; none Received: from exodus.zi0r.com (syn.zi0r.com [71.179.14.194]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by exodus.zi0r.com (Postfix) with ESMTPSA id CBD6689281; Fri, 20 Sep 2024 09:56:24 -0400 (EDT) Date: Fri, 20 Sep 2024 09:56:23 -0400 From: Ryan Steinmetz To: Andrea Venturoli Cc: ports@freebsd.org Subject: Re: rbldnsd does not start in a jail Message-ID: References: <68c5efba-addb-4d25-9650-498b52e39b1b@netfence.it> List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports@freebsd.org Sender: owner-freebsd-ports@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <68c5efba-addb-4d25-9650-498b52e39b1b@netfence.it> X-Spam-Score: -3.03 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:701, ipnet:71.179.0.0/16, country:US] X-Rspamd-Queue-Id: 4X9DSn4v25z47WQ X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On (09/20/24 11:11), Andrea Venturoli wrote: >Hello. > >I'm running rbldnsd in a jail since a long time. >Lately it fails to start: >>service rbldnsd start >>Starting rbldnsd. >>rbldnsd: listening on 127.0.2.1/10053 >>rbldnsd: unable to chroot to /usr/local/etc/rbldnsd: Operation not permitted >>/usr/local/etc/rc.d/rbldnsd: WARNING: failed to start rbldnsd > This is probably something specific to your environment, as it works in a fresh jail on a 14.1-RELEASE system: root@141R-test:~ # freebsd-version 14.1-RELEASE-p5 root@141R-test:~ # sysctl security.jail.jailed security.jail.jailed: 1 root@141R-test:~ # ps auxw|grep rbl rbldns 39967 0.0 0.0 12932 2624 - SsJ 13:47 0:00.00 /usr/local/sbin/rbldnsd -p /var/run/rbldnsd.pid -r /usr/local/etc/rbldnsd -w / -b 127.0.0.1/5353 bl.example.com:ip4set:example As a starting point, I would look for defaults you have modified in: - security.jail sysctls - security.mac sysctls - *chroot* sysctls - kern.securelevel - security.jail.param.securelevel - Filesystem permissions in the new root dir (and its parent directories) >I had to change "-r" to "-w" in rc.conf's rbldnsd_flags in order to >disable chrooting. > >I'm not sure if this started since I upgraded from 14.0 to 14.1; looks >like rbldnsd itself didn't change recently... > >Any comment? >Was chroot in a jail disabled recently? Is some additional setting >needed for 14.1? I didn't find anything in the release notes. >Perhaps it does not make much sense to chroot in a jail? >Is this a bug worth reporting? > chrooting in a jail is fine and can certainly make sense, especially if the jail is not 100% dedicated to rbldnsd. -r > bye & Thanks > av. -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7