Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 11.3.2016 09:32, Martin Babinsky wrote: On 03/11/2016 07:24 AM, Jan Cholasta wrote: On 9.3.2016 11:14, Martin Babinsky wrote: On 03/07/2016 04:28 PM, Martin Kosek wrote: On 03/07/2016 03:17 PM, Petr Spacek wrote: On 7.3.2016 13:27, Jan Cholasta wrote: Hi, On 7.3.2016 12:47, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin Then the patch should be sufficient, yes? Yes, but I would prefer if the directive was visually separated from requires and had a comment (see how nss-pam-ldapd conflicts in freeipa-server is done). Fixed Thanks, ACK. Pushed to: master: 3ab63fa6ba60947b1452c2108c4cf7637f4aacdb ipa-4-3: 2b1b9ad6722e7008a97f09dc4a34019ad250cd4d -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 03/11/2016 07:24 AM, Jan Cholasta wrote: On 9.3.2016 11:14, Martin Babinsky wrote: On 03/07/2016 04:28 PM, Martin Kosek wrote: On 03/07/2016 03:17 PM, Petr Spacek wrote: On 7.3.2016 13:27, Jan Cholasta wrote: Hi, On 7.3.2016 12:47, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin Then the patch should be sufficient, yes? Yes, but I would prefer if the directive was visually separated from requires and had a comment (see how nss-pam-ldapd conflicts in freeipa-server is done). Fixed -- Martin^3 Babinsky From 14f42f09ffbe0b7c90239d440398bfcd49229f3c Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Mon, 7 Mar 2016 12:41:53 +0100 Subject: [PATCH] spec: add conflict with bind-chroot to freeipa-server-dns https://fedorahosted.org/freeipa/ticket/5696 --- freeipa.spec.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 9e277020d70215e052ab6c905b1c6a29ae6cdd4d..71a5df0455e021832caa01b5519af5aa612af061 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -270,6 +270,9 @@ Obsoletes: %{alt_name}-server-dns < %{version} # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server <= 4.2.0 +# FreeIPA does not support running integrated BIND in chroot jail +Conflicts: bind-chroot + %description server-dns IPA integrated DNS server with support for automatic DNSSEC signing. Integrated DNS server is BIND 9. OpenDNSSEC provides key management. -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 9.3.2016 11:14, Martin Babinsky wrote: On 03/07/2016 04:28 PM, Martin Kosek wrote: On 03/07/2016 03:17 PM, Petr Spacek wrote: On 7.3.2016 13:27, Jan Cholasta wrote: Hi, On 7.3.2016 12:47, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin Then the patch should be sufficient, yes? Yes, but I would prefer if the directive was visually separated from requires and had a comment (see how nss-pam-ldapd conflicts in freeipa-server is done). -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 03/07/2016 04:28 PM, Martin Kosek wrote: On 03/07/2016 03:17 PM, Petr Spacek wrote: On 7.3.2016 13:27, Jan Cholasta wrote: Hi, On 7.3.2016 12:47, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin Then the patch should be sufficient, yes? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 03/07/2016 03:17 PM, Petr Spacek wrote: > On 7.3.2016 13:27, Jan Cholasta wrote: >> Hi, >> >> On 7.3.2016 12:47, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5696 >> >> Shouldn't we rather fix IPA to work with bind running in chroot (which is >> AFAIK considered good security practice)? > > I would not invest into it: > http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 7.3.2016 13:27, Jan Cholasta wrote: > Hi, > > On 7.3.2016 12:47, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5696 > > Shouldn't we rather fix IPA to work with bind running in chroot (which is > AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
Hi, On 7.3.2016 12:47, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code