BIND chroot environment in 10-RELEASE...gone?

Michael Sinatra michael at rancid.berkeley.edu
Wed Dec 4 17:59:33 UTC 2013


On 12/04/13 01:58, Erwin Lansing wrote:

> It's not as simple as you describe, trust me I tried :-)

Is it not simple because the original chroot environment was wonky or is
it not simple because there's a desire to banish all remnants of BIND to
/usr/local?  It's actually a serious question, as I think the real issue
is whether we allow certain ports to install themselves in the
filesystem area typically reserved for "base."  If so, then the "tier1"
ports being described in the other thread can be the ones that can
install themselves in the "base area" which ought to make the chroot
thing a lot easier.

> The one point people in this thread seem to be missing is why BIND
> should be treated differently than all the other DNS severs?

Maybe because the work to provide a solid chroot environment has already
been done.  But that also begs the question, why is unbound now being
treated differently than all of the other DNS servers?  FreeBSD has done
a significant amount of work to integrate unbound into base *and*
provide default chroot for it.  I don't think all that work was done
just because we needed a working "host" command in the base.

> BIND may
> have a bad security reputation back from the 4 and 8 days, but do you
> really think that BIND9 is so much more insecure than say NSD or Knot
> that it needs special treatment in ports?

I don't see why NSD shouldn't have support for chroot, since it's
supported by the daemon.  In the case of Knot, I don't believe it
supports chroot.  FWIW, in OpenBSD, unbound and nsd are now in the base,
but the "isc-bind" port still installs BIND in the base area with
/var/named as the chroot.

> Or what about Apache for that
> matter?

Yep.

> If you really think that, a chroot really isn't going to help
> you much and what you really want is a jail(8).

And I do use jails, including vnet/vimage jails, mainly to separate
functions of services running on a box.  But there are still benefits to
chroot for services running on a system, as it raises the bar and can
limit the damage from a vulnerable service.  For me, it's more of a way
of combating the "unknown unknowns" of Rumsfeld's Razor.

But, as has already been pointed out in this thread, the security issues
of chroot are only part of the concern here.  Part of the reason for the
loudness of the complaining is that FreeBSD has now made for a rather
messy upgrade path for administrators of authoritative BIND servers (or
recursive/validating BIND servers, especially using RPZ, for that
matter) to go from 9.x to 10.x.  Not only was this not forewarned, we
were told back when the decision was made to remove BIND that we could
"just use the port."  Instead, we have to "just use the port," then move
all of our data/log/journal/config/etc files out of the /var/named
hierarchy and put it all somewhere in /usr/local/etc, rewrite all of the
scripts, checks, and other administrative tools to use the new
locations, etc.  Sure, if the scripts are written right, it's not a big
deal, but it all adds up to extra steps we all have to take--for the
purpose of reducing functionality.

> What should be done is
> to create an easy to do so, but for any port, not just one single port.
> I think we have all the tools available, so it is probably just a matter
> of writing some good documentation to add to the porters handbook,
> though to make it really easy might require some additions to the ports
> framework.

I am not sure that the available tools apply to vnet jails, but I think
that in general, the jail management tools are good.

> The way the BIND ports are now is actually in line with all the other
> ports in how they start and where the configuration files are.  The
> chroot code was a relic of history and the slight security benefit it
> may have today is far outweighed by the increased complexity and
> decreased consistency with the rest of the ports tree, both from a ports
> maintainance perspective and from the user perspective.  I will be happy
> to look into general frameworks to jail any daemon installed from ports,
> but will not make exceptions to a handful of ports.

Then I assume you disagree with the whole concept of tier1 ports as
described in the parallel thread.

I still think that the FreeBSD ports for BIND are excellent and you have
done a really good and helpful job in maintaining them.  I just hate to
see a lot of work being done--by all of us--that effectively leaves us
worse off.  And I understand that we probably have different
perspectives on what it means to be "worse off."

michael




More information about the freebsd-stable mailing list