Not getting an IPv6 in a jail

Scott Lambert lambert at lambertfam.org
Wed Sep 9 00:08:10 UTC 2009 

On Tue, Sep 08, 2009 at 11:27:55AM -0700, Doug Barton wrote:
> John Baldwin wrote:
> > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote:
> >> FLEURIOT Damien wrote:
> >>
> >>> BIND's now happily running in its jail and responding to public
> >>> queries.
> >>
> >> It's up to you if you choose to do it, but there is no reason to
> >> run BIND in a jail. The chroot feature provided by default by
> >> rc.d/named is quite adequate security.
> >
> > That is debatable.  One of the chief benefits of a jail is that if
> > a server is compromised so that an attacker can gain root access
> > that root access is limited in what it can do compared to a simple
> > chroot.  That is true for any server you would run under a jail, not
> > just BIND.
>
> On a strictly intellectual level I agree that jails are in some
> ways more limited than chroots. OTOH, named chroots by default into
> /var/named which has no binaries at all. The most "interesting" things
> in the chroot environment are /dev/null and /dev/random. Jails by
> nature have a more or less complete FreeBSD system available to the
> attacker. Also, in addition to being chroot'ed named runs by default
> as user 'bind' which is rather limited in what it can modify in the
> chroot.
>
> I realize that it's theoretically possible for an attacker to break
> out of a chroot environment, escalate their privileges, etc. I suppose
> my point is that if you're looking for things to tighten down on a
> FreeBSD system the default named configuration is not the first place
> I'd look. :)

Some of us are just using a jail per service to make the service more
portable between these massively overpowered machines these days.  For
me, jails are not always just about security.  I use them as cheap form
of virtualization.  The security seperation can be a cheap side effect
of the cheap virtualization.  This is especially cheap with the help of
sysutils/ezjail.

I do not currently have named inside a jail.  I still have a few P3
boxes in service handling some of the small tasks which I haven't gotten
around to rolling up yet.  Named inside a chroot inside a jail is not
the first thing I would go after, but when I get around to moving it off
the old server hardware, why not? :-)

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

More information about the freebsd-stable mailing list