Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Jul 2000 12:00:46 -0700
From:      Julian Elischer <julian@elischer.org>
To:        Warner Losh <imp@village.org>
Cc:        Brian Fundakowski Feldman <green@FreeBSD.org>, freebsd-arch@FreeBSD.org
Subject:   Re: SysctlFS
Message-ID:  <397357DE.2781E494@elischer.org>
References:  <Pine.BSF.4.21.0007160327310.82825-100000@green.dyndns.org> <200007160740.BAA51827@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Warner Losh wrote:
> 

> 
> But this sort of thing is potentially worse.  If you can follow the
> symlink out of jail, can you use it to get to other files?
> 
> The only way that device nodes exist in the jail now is if the jailors
> create them for the Jail.  Ditto with mount points.  Ditto with this.
> 
> I'm sure that any sort of automatic adding of device nodes to a
> jail'd process' space is wrong by default.  All things that aren't
> explicitly permitted are forbidden.

> : > Why bother with a symlink?  Why not have a reference to the real
> : > dev_t?
> :
> : The dev_t of what, exactly?
> 
> The device that the jailed process can access.  Right now we put the
> dev_t in the hierarchy of the jailed process, which is the userland
> dev_t.  With a devfs implementation, you could put the kerneland dev_t
> into the filesystem generally.  If you do that, then you'll need to do
> that in jail as well.  If you don't, mknod is suffient for jailed
> processes, plus maybe with a major number lookup routine (kernel, tell
> me what the major number for wd).

See my other email onn this topic.. 
I don;t propose Symlinks.. that would eba security whole.
I propose a SYMLINK_LIKE MECHANISM to replace major numbers
in normal cdev nodes created within the filesystem, that
reflect into the device namespace.

> 
> Warner
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-arch" in the body of the message

-- 
      __--_|\  Julian Elischer
     /       \ julian@elischer.org
    (   OZ    ) World tour 2000
     ;_.---._/  presently in:  Budapest
            v


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397357DE.2781E494>