On Tue, Sep 08, 2009 at 11:27:55AM -0700, Doug Barton wrote: > John Baldwin wrote: > > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: > >> FLEURIOT Damien wrote: > >> > >>> BIND's now happily running in its jail and responding to public > >>> queries. > >> > >> It's up to you if you choose to do it, but there is no reason to > >> run BIND in a jail. The chroot feature provided by default by > >> rc.d/named is quite adequate security. > > > > That is debatable. One of the chief benefits of a jail is that if > > a server is compromised so that an attacker can gain root access > > that root access is limited in what it can do compared to a simple > > chroot. That is true for any server you would run under a jail, not > > just BIND. > > On a strictly intellectual level I agree that jails are in some > ways more limited than chroots. OTOH, named chroots by default into > /var/named which has no binaries at all. The most "interesting" things > in the chroot environment are /dev/null and /dev/random. Jails by > nature have a more or less complete FreeBSD system available to the > attacker. Also, in addition to being chroot'ed named runs by default > as user 'bind' which is rather limited in what it can modify in the > chroot. > > I realize that it's theoretically possible for an attacker to break > out of a chroot environment, escalate their privileges, etc. I suppose > my point is that if you're looking for things to tighten down on a > FreeBSD system the default named configuration is not the first place > I'd look. :)
Some of us are just using a jail per service to make the service more portable between these massively overpowered machines these days. For me, jails are not always just about security. I use them as cheap form of virtualization. The security seperation can be a cheap side effect of the cheap virtualization. This is especially cheap with the help of sysutils/ezjail. I do not currently have named inside a jail. I still have a few P3 boxes in service handling some of the small tasks which I haven't gotten around to rolling up yet. Named inside a chroot inside a jail is not the first thing I would go after, but when I get around to moving it off the old server hardware, why not? :-) -- Scott Lambert KC5MLE Unix SysAdmin lamb...@lambertfam.org _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
