Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-19 Thread Jan Cholasta 

On 11.3.2016 09:32, Martin Babinsky wrote:

On 03/11/2016 07:24 AM, Jan Cholasta wrote:

On 9.3.2016 11:14, Martin Babinsky wrote:

On 03/07/2016 04:28 PM, Martin Kosek wrote:

On 03/07/2016 03:17 PM, Petr Spacek wrote:

On 7.3.2016 13:27, Jan Cholasta wrote:

Hi,

On 7.3.2016 12:47, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5696


Shouldn't we rather fix IPA to work with bind running in chroot
(which is
AFAIK considered good security practice)?


I would not invest into it:
http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature





+1

Martin



Then the patch should be sufficient, yes?


Yes, but I would prefer if the directive was visually separated from
requires and had a comment (see how nss-pam-ldapd conflicts in
freeipa-server is done).


Fixed


Thanks, ACK.

Pushed to:
master: 3ab63fa6ba60947b1452c2108c4cf7637f4aacdb
ipa-4-3: 2b1b9ad6722e7008a97f09dc4a34019ad250cd4d


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-11 Thread Martin Babinsky 

On 03/11/2016 07:24 AM, Jan Cholasta wrote:

On 9.3.2016 11:14, Martin Babinsky wrote:

On 03/07/2016 04:28 PM, Martin Kosek wrote:

On 03/07/2016 03:17 PM, Petr Spacek wrote:

On 7.3.2016 13:27, Jan Cholasta wrote:

Hi,

On 7.3.2016 12:47, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5696


Shouldn't we rather fix IPA to work with bind running in chroot
(which is
AFAIK considered good security practice)?


I would not invest into it:
http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature




+1

Martin



Then the patch should be sufficient, yes?


Yes, but I would prefer if the directive was visually separated from
requires and had a comment (see how nss-pam-ldapd conflicts in
freeipa-server is done).


Fixed

--
Martin^3 Babinsky
From 14f42f09ffbe0b7c90239d440398bfcd49229f3c Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 7 Mar 2016 12:41:53 +0100
Subject: [PATCH] spec: add conflict with bind-chroot to freeipa-server-dns

https://fedorahosted.org/freeipa/ticket/5696
---
 freeipa.spec.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 9e277020d70215e052ab6c905b1c6a29ae6cdd4d..71a5df0455e021832caa01b5519af5aa612af061 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -270,6 +270,9 @@ Obsoletes: %{alt_name}-server-dns < %{version}
 # upgrade path from monolithic -server to -server + -server-dns
 Obsoletes: %{name}-server <= 4.2.0
 
+# FreeIPA does not support running integrated BIND in chroot jail
+Conflicts: bind-chroot
+
 %description server-dns
 IPA integrated DNS server with support for automatic DNSSEC signing.
 Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-10 Thread Jan Cholasta 

On 9.3.2016 11:14, Martin Babinsky wrote:

On 03/07/2016 04:28 PM, Martin Kosek wrote:

On 03/07/2016 03:17 PM, Petr Spacek wrote:

On 7.3.2016 13:27, Jan Cholasta wrote:

Hi,

On 7.3.2016 12:47, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5696


Shouldn't we rather fix IPA to work with bind running in chroot
(which is
AFAIK considered good security practice)?


I would not invest into it:
http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature



+1

Martin



Then the patch should be sufficient, yes?


Yes, but I would prefer if the directive was visually separated from 
requires and had a comment (see how nss-pam-ldapd conflicts in 
freeipa-server is done).


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-09 Thread Martin Babinsky 

On 03/07/2016 04:28 PM, Martin Kosek wrote:

On 03/07/2016 03:17 PM, Petr Spacek wrote:

On 7.3.2016 13:27, Jan Cholasta wrote:

Hi,

On 7.3.2016 12:47, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5696


Shouldn't we rather fix IPA to work with bind running in chroot (which is
AFAIK considered good security practice)?


I would not invest into it:
http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature


+1

Martin



Then the patch should be sufficient, yes?

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-07 Thread Martin Kosek 
On 03/07/2016 03:17 PM, Petr Spacek wrote:
> On 7.3.2016 13:27, Jan Cholasta wrote:
>> Hi,
>>
>> On 7.3.2016 12:47, Martin Babinsky wrote:
>>> https://fedorahosted.org/freeipa/ticket/5696
>>
>> Shouldn't we rather fix IPA to work with bind running in chroot (which is
>> AFAIK considered good security practice)?
> 
> I would not invest into it:
> http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature

+1

Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-07 Thread Petr Spacek 
On 7.3.2016 13:27, Jan Cholasta wrote:
> Hi,
> 
> On 7.3.2016 12:47, Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/5696
> 
> Shouldn't we rather fix IPA to work with bind running in chroot (which is
> AFAIK considered good security practice)?

I would not invest into it:
http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

2016-03-07 Thread Jan Cholasta 

Hi,

On 7.3.2016 12:47, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5696


Shouldn't we rather fix IPA to work with bind running in chroot (which 
is AFAIK considered good security practice)?


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code