Date: Mon, 21 Apr 2025 10:43:44 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: freebsd-pkgbase@freebsd.org Subject: Splitting critical libraries from interactive shell in runtime package Message-ID: <015C4C6B-1CEC-4398-A8B9-CE21E88C617C@tetlows.org>
index | next in thread | raw e-mail
A while ago, I was playing around with building stripped down jails based on pkgbase and noticed that /bin/sh and a whole host of interactive commands is in the FreeBSD-runtime package. This seemed weird to me as my stripped down jail that is intended to run nginx should only have the runtime libraries necessary. Including /bin/sh and friends is unnecessary and would only enable an attacker to gain a foothold more easily. I recall trying to get it more minimal, but FreeBSD-runtime is a critical package that must be installed given things like PAM and some extremely critical libraries (libz, libcap, libutil, etc) are in this package. So, my proposal/question is, can we split out the critical libraries from the shell and supporting commands in the runtime package so a minimal jail could be properly built via pkgbase? What needs to happen to make that work? Digging around, I found dfr@ asking about this in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273783. There seemed to be agreement from manu@ that making a shell-free environment is a good goal we can support. Thanks, Gordonhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?015C4C6B-1CEC-4398-A8B9-CE21E88C617C>