Ports and jails

Mark Foster mark at foster.cc
Fri Aug 27 12:34:06 PDT 2004

On Fri, Aug 27, 2004 at 02:42:04PM +0200, Oliver Eikemeier wrote:
> Alessandro Dellavedova wrote:
> >In our infrastructure we use some daemons (bind, dhcp, openldap) that  
> >must run into a jail for security reasons.. do you think that having a  
> >keyword JAILED=YES in the Makefiles of ports would be useful ?
> openldap could be run without opening a TCP/IP socket (by using UNIX 
> domain sockets), bind chrooted as a non-priviledged user and dhcpd often 
> needs to listen to more than one interface (and not to externally 
> reachable ones), so a jail is not always a "must".
> >Something like make install PREFIX=/path/to/jail JAILED=YES will be  
> >difficult to implement ?
> jails are complete subsystems, so you could either compile the port 
> inside the jail, or use a package building system and install it by 
> pkg_add(1). Installing from a port into a jail is not really supported, 
> and I don't see any necessity to do so.
I'll bet he meant chroot() like bind9 takes with -t

Some days it's just not worth chewing through the restraints...
Mark D. Foster, CISSP <mark at foster.cc>  http://mark.foster.cc/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20040827/4feecb5f/attachment.bin

More information about the freebsd-ports mailing list