Ports and jails
Mark Foster
mark at foster.cc
Fri Aug 27 12:34:06 PDT 2004
On Fri, Aug 27, 2004 at 02:42:04PM +0200, Oliver Eikemeier wrote:
> Alessandro Dellavedova wrote:
>
> >In our infrastructure we use some daemons (bind, dhcp, openldap) that
> >must run into a jail for security reasons.. do you think that having a
> >keyword JAILED=YES in the Makefiles of ports would be useful ?
>
> openldap could be run without opening a TCP/IP socket (by using UNIX
> domain sockets), bind chrooted as a non-priviledged user and dhcpd often
> needs to listen to more than one interface (and not to externally
> reachable ones), so a jail is not always a "must".
>
> >Something like make install PREFIX=/path/to/jail JAILED=YES will be
> >difficult to implement ?
>
> jails are complete subsystems, so you could either compile the port
> inside the jail, or use a package building system and install it by
> pkg_add(1). Installing from a port into a jail is not really supported,
> and I don't see any necessity to do so.
>
I'll bet he meant chroot() like bind9 takes with -t
--
Some days it's just not worth chewing through the restraints...
Mark D. Foster, CISSP <mark at foster.cc> http://mark.foster.cc/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20040827/4feecb5f/attachment.bin
More information about the freebsd-ports
mailing list