On (09/20/24 11:11), Andrea Venturoli wrote:
Hello.
I'm running rbldnsd in a jail since a long time.
Lately it fails to start:
service rbldnsd start
Starting rbldnsd.
rbldnsd: listening on 127.0.2.1/10053
rbldnsd: unable to chroot to /usr/local/etc/rbldnsd: Operation not permitted
/usr/local/etc/rc.d/rbldnsd: WARNING: failed to start rbldnsd
This is probably something specific to your environment, as it works in
a fresh jail on a 14.1-RELEASE system:
root@141R-test:~ # freebsd-version
14.1-RELEASE-p5
root@141R-test:~ # sysctl security.jail.jailed
security.jail.jailed: 1
root@141R-test:~ # ps auxw|grep rbl
rbldns 39967 0.0 0.0 12932 2624 - SsJ 13:47 0:00.00
/usr/local/sbin/rbldnsd -p /var/run/rbldnsd.pid -r /usr/local/etc/rbldnsd -w /
-b 127.0.0.1/5353 bl.example.com:ip4set:example
As a starting point, I would look for defaults you have modified in:
- security.jail sysctls
- security.mac sysctls
- *chroot* sysctls
- kern.securelevel
- security.jail.param.securelevel
- Filesystem permissions in the new root dir (and its parent
directories)
I had to change "-r" to "-w" in rc.conf's rbldnsd_flags in order to
disable chrooting.
I'm not sure if this started since I upgraded from 14.0 to 14.1; looks
like rbldnsd itself didn't change recently...
Any comment?
Was chroot in a jail disabled recently? Is some additional setting
needed for 14.1? I didn't find anything in the release notes.
Perhaps it does not make much sense to chroot in a jail?
Is this a bug worth reporting?
chrooting in a jail is fine and can certainly make sense, especially if
the jail is not 100% dedicated to rbldnsd.
-r
bye & Thanks
av.
--
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
