Not getting an IPv6 in a jail
Doug Barton
dougb at FreeBSD.org
Tue Sep 8 18:27:57 UTC 2009
John Baldwin wrote:
> On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote:
>> FLEURIOT Damien wrote:
>>
>>> BIND's now happily running in its jail and responding to public
>>> queries.
>> It's up to you if you choose to do it, but there is no reason to run
>> BIND in a jail. The chroot feature provided by default by rc.d/named
>> is quite adequate security.
>
> That is debatable. One of the chief benefits of a jail is that if a server is
> compromised so that an attacker can gain root access that root access is
> limited in what it can do compared to a simple chroot. That is true for any
> server you would run under a jail, not just BIND.
On a strictly intellectual level I agree that jails are in some ways
more limited than chroots. OTOH, named chroots by default into
/var/named which has no binaries at all. The most "interesting" things
in the chroot environment are /dev/null and /dev/random. Jails by
nature have a more or less complete FreeBSD system available to the
attacker. Also, in addition to being chroot'ed named runs by default
as user 'bind' which is rather limited in what it can modify in the
chroot.
I realize that it's theoretically possible for an attacker to break
out of a chroot environment, escalate their privileges, etc. I suppose
my point is that if you're looking for things to tighten down on a
FreeBSD system the default named configuration is not the first place
I'd look. :)
Doug
More information about the freebsd-stable
mailing list