On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists at bsdforge.com> wrote:> On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug at nethelp.no wrote > > > > > > It was a deliberate decision made by the maintainer. He said the > chroot > > > > > code in the installation was too complicated and would be removed > as a > > > > > part of the installation clean-up to get all BIND related files > out of > > > > > /usr and /etc. I protested at the time as did someone else, but the > > > > > maintainer did not respond. I thnk this was a really, really bad > > > > > decision. > > > > > > > > > > I searched a bit for the thread on removing BIND leftovers, but > have > > > > > failed to find it. > > > > > > > > > > > > > You're probably thinking about my November 17 posting: > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > > > > > > > > I'm glad to see others finally speaking up; I was beginning to think > I > > > > was the only one who thought this was not a good idea. I'm a bit > > > > surprised that no one has responded yet. > > > > > > I agree with the protesters here. Removing chroot and symlinking logic > > > in the ports is a significant disservice to FreeBSD users, and will > > > make it harder to use BIND in a sensible way. A net disincentive to > > > use FreeBSD :-( > > > > I have now installed my first 10.1 based name server. I had to spend > > some hours to recreate the changeroot environment that I had so easily > > available in FreeBSD up to 9.x. > > > > <rant> > > Removing the changeroot environment and symlinking logic is a net > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > </rant> > In all fairness (is there even such a thing?); > "Convenience" is a two-way street. For each person that thinks > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > are at *least* as many whom feel differently. I chose to remove/disable > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > to overcome/deal with the CVE/security issues. In the end, I was forced > to re-examine some of the other resolvers, that ultimately, only proved > to be better choice(s). > > Just sayin' > > --Chris >Please don't conflate issues. Moving BIND out of the base system is something long overdue. I know that the longtime BIND maintainer, Doug B, had long felt it should be removed. This has exactly NOTHING to do with removing the default chroot installation. The ports were, by default installed chrooted. Jailed would have been better, but it was not something that could be done in a port unless the jail had already been set up. chroot is still vastly superior to not chrooted and I was very distressed to see it go from the ports. Disclaimer, since I retired I am no longer running a DNS server, so this had no impact on me. I simply see it as an unfortunate regression. -- Kevin Oberman, Network Engineer, Retired
On Mon, 15 Dec 2014 22:12:45 -0800 Kevin Oberman <rkoberman at gmail.com> wrote> On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists at bsdforge.com> wrote: > > > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug at nethelp.no wrote > > > > > > > > It was a deliberate decision made by the maintainer. He said the > > chroot > > > > > > code in the installation was too complicated and would be removed > > as a > > > > > > part of the installation clean-up to get all BIND related files > > out of > > > > > > /usr and /etc. I protested at the time as did someone else, but the > > > > > > maintainer did not respond. I thnk this was a really, really bad > > > > > > decision. > > > > > > > > > > > > I searched a bit for the thread on removing BIND leftovers, but > > have > > > > > > failed to find it. > > > > > > > > > > > > > > > > You're probably thinking about my November 17 posting: > > > > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > > > > > > > > > > I'm glad to see others finally speaking up; I was beginning to think > > I > > > > > was the only one who thought this was not a good idea. I'm a bit > > > > > surprised that no one has responded yet. > > > > > > > > I agree with the protesters here. Removing chroot and symlinking logic > > > > in the ports is a significant disservice to FreeBSD users, and will > > > > make it harder to use BIND in a sensible way. A net disincentive to > > > > use FreeBSD :-( > > > > > > I have now installed my first 10.1 based name server. I had to spend > > > some hours to recreate the changeroot environment that I had so easily > > > available in FreeBSD up to 9.x. > > > > > > <rant> > > > Removing the changeroot environment and symlinking logic is a net > > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > </rant> > > In all fairness (is there even such a thing?); > > "Convenience" is a two-way street. For each person that thinks > > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > > are at *least* as many whom feel differently. I chose to remove/disable > > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > > to overcome/deal with the CVE/security issues. In the end, I was forced > > to re-examine some of the other resolvers, that ultimately, only proved > > to be better choice(s). > > > > Just sayin' > > > > --Chris > > > > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrootedAgreed.> and I was very distressed > to see it go from the ports. > > Disclaimer, since I retired I am no longer running a DNS server, so this > had no impact on me. I simply see it as an unfortunate regression.In the end I was forced to explore other avenues I probably wouldn't have taken the time to do (then). In the end, I was all the better for having done so. The same might also be said for chroot v. jail v {...} It wasn't my intention to "pick" on any app/policy, per se; --Chris> -- > Kevin Oberman, Network Engineer, Retired > _______________________________________________ > freebsd-stable at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
On Mon, 15 Dec 2014 22:12:45 -0800, Kevin Oberman wrote: > On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists at bsdforge.com> wrote: > > > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug at nethelp.no wrote [..] > > > <rant> > > > Removing the changeroot environment and symlinking logic is a net > > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > </rant> > > In all fairness (is there even such a thing?); > > "Convenience" is a two-way street. For each person that thinks > > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > > are at *least* as many whom feel differently. I chose to remove/disable > > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > > to overcome/deal with the CVE/security issues. In the end, I was forced > > to re-examine some of the other resolvers, that ultimately, only proved > > to be better choice(s). > > > > Just sayin' > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted and I was very distressed > to see it go from the ports. > > Disclaimer, since I retired I am no longer running a DNS server, so this > had no impact on me. I simply see it as an unfortunate regression. Me too, which is why I was pleased to see Warren's excellent handbook example of setting up BIND in a jail as well catering to that need: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-example-bind That's for a caching-only local resolver, but it's hardly a long jump to extend that framework to an authoratative nameserver, BIND or otherwise. Good docs are gold, and can sometimes compensate for notsogood policy :) cheers, Ian
On Mon, Dec 15, 2014 at 10:12:45PM -0800, Kevin Oberman wrote:> > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted and I was very distressed > to see it go from the ports. >While I don't want to get dragged down into this discussion that can go on forever without any consensus, I just want to point out that there is a slight twist to the above description. Due to implementational details, the ports' chroot was actually inside the base system parts of BIND. Removing the one, removed the other. I did try my hand at a reimplentation self-contained in the port, but that proved less trivial than thought and I never reached a satisfactory solution. If anyone want to try their hands at it as well and convince the new port maintainer, please do so, but trust me when I say that. e.g. an ezjail solution, is much easier to set up and maintain than reverting to the old functionality. In they end, I'd rather see a more general solution that can chroot, or jail, an arbitrary daemon from ports rather than special treatment of a single port. If BIND, why not also NSD, unbound, or apache for arguments sake? Erwin -- Erwin Lansing http://droso.dk erwin at FreeBSD.org http:// www.FreeBSD.org