HEADS UP: named now runs chroot'ed by default

Doug Barton DougB at FreeBSD.org
Thu Sep 30 03:34:21 PDT 2004

Peter Wemm wrote:
> On Tuesday 28 September 2004 03:03 am, Doug Barton wrote:
>>I just committed a named "auto-chroot" system that will allow named
>>to run chroot'ed by default. If you have an existing named
>>configuration in /etc/namedb, the instructions for updating it are in
>>src/UPDATING. If you are already chroot'ing named, especially if you
>>are using /var/named as the chroot directory, you should back
>>everything up before upgrading and proceed with caution. :)
>>For those that don't have a named configuration, all you should have
>>to do is 'rm -r /etc/namedb' and you'll be fine.
>>Comments and suggestions are welcome, but please try to keep the
>>bikeshedding about specific bits down to an absolute minimum. The
>>directory structure and related options worked very well on hundreds
>>of name servers on a very busy enterprise network, so I have a high
>>degree of confidence that the defaults are sensible. That said, I am
>>open to genuine improvements, and dialogue on optional bits.
> Mergemaster hasn't been made aware of this.

mergemaster tries very hard not to grow special knowledge about any 
files or directories, it relies on src/etc/Makefile.

> It unconditionally installs
> the named stuff in /var/named/etc/namedb

You probably have the -a option enabled somewhere, perhaps in a 
mergemaster.rc file? Otherwise mm never takes any action by default.

> even when you've explicitly turned the chroot stuff off.

"Turning the chroot stuff off" is an rc.d option, not a make.conf 
option. If it's really necessary I suppose I could put some work into 
making the install path optional, but whether you chroot or not, putting 
the named stuff in /var is "better" for most any definition of better.

> How are we supposed to get the old behavior back?

Well, after following the instructions in UPDATING you could have all 
your old files in /var/named/etc/namedb, and /etc/namedb will then be a 
symlink to /var/named/etc/namedb. If you choose to disable chrooting in 
rc.conf, you should have exactly the same old behavior, the only 
difference is that your files will be in /var. This is one of the 
reasons I chose to implement things the way I did.

You could also choose not to delete the /etc/namedb directory, and just 
use your old files (without chrooting of course). If you want to do 
this, you might also want to add 'NO_BIND_ETC= true' to your make.conf. 
I don't recommend this of course, but it is possible to do it this way.

IMO, once you get your files transferred over, you'll never even notice 
that you're running chrooted, and it is a significant security benefit.

> This sucks. :-(

Thank you for your kind words. :)



     This .signature sanitized for your protection

More information about the freebsd-current mailing list