From owner-freebsd-rc@FreeBSD.ORG Tue Jun 6 23:12:02 2006 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5056016D77F for ; Tue, 6 Jun 2006 22:43:07 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79B6B43D55 for ; Tue, 6 Jun 2006 22:43:03 +0000 (GMT) (envelope-from erdgeist@erdgeist.org) Received: (qmail 96960 invoked by uid 0); 6 Jun 2006 22:42:58 -0000 Received: from fnord.cryptophone.de (HELO ?10.1.1.71?) (erdgeist@erdgeist.org@62.220.7.20) by elektropost.org with AES256-SHA encrypted SMTP; 6 Jun 2006 22:42:58 -0000 Message-ID: <448604F0.9070406@erdgeist.org> Date: Wed, 07 Jun 2006 00:42:56 +0200 From: Dirk Engling User-Agent: Thunderbird 1.5.0.4 (Macintosh/20060530) MIME-Version: 1.0 To: freebsd-rc X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: New feature exec_afterstart X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 23:12:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, while incorporating some of the jail options grouping stuff into /etc/rc.d/jail I noticed the introduction of a new feature called "exec_afterstart". This has not been discussed here on list but yet was introduced in 1.34 and is going to be MFCed somewhere around soon. When googling around I found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=97697 I do not see, what this approach yields that cannot simply be accomplished by a second jail on the same jailroot/IP-combination, correct me, if I am wrong. Further I can not see, what /bin/sh introduces in terms of system (in)security that will not happen to you if you have syscalls. The patch introduces the same ugly enumeration style that already sucks in the ifconfig rc script and should be deprecated. Correct me, if I am wrong. So I'd strongly vote to not to MFC but rather remove this feature. Btw.: Where do these kinds of discussions normally take place? I mean before things are committed. Regards erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) iD8DBQFEhgTwImmQdUyYEgkRArG7AJ9jDlwuq9jsfq+97oMirf3NBDqQDACbB051 HZm2ibjGGHMbriiwrGIjDt8= =fd4p -----END PGP SIGNATURE-----