From owner-freebsd-current@FreeBSD.ORG  Fri May 21 01:14:33 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id EC76716A4CE; Fri, 21 May 2004 01:14:33 -0700 (PDT)
Received: from cell.sick.ru (cell.sick.ru [217.72.144.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1AE4843D1F; Fri, 21 May 2004 01:14:33 -0700 (PDT)
	(envelope-from glebius@cell.sick.ru)
Received: from cell.sick.ru (glebius@localhost [127.0.0.1])
	by cell.sick.ru (8.12.9/8.12.8) with ESMTP id i4L8EKvw089369
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 21 May 2004 12:14:20 +0400 (MSD)
	(envelope-from glebius@cell.sick.ru)
Received: (from glebius@localhost)
	by cell.sick.ru (8.12.9/8.12.6/Submit) id i4L8EJo6089368;
	Fri, 21 May 2004 12:14:19 +0400 (MSD)
Date: Fri, 21 May 2004 12:14:19 +0400
From: Gleb Smirnoff <glebius@cell.sick.ru>
To: Pawel Jakub Dawidek <pjd@freebsd.org>
Message-ID: <20040521081419.GB89262@cell.sick.ru>
References: <20040520220145.GN4567@genius.tao.org.uk>
	<20040521080218.GY845@darkness.comp.waw.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20040521080218.GY845@darkness.comp.waw.pl>
User-Agent: Mutt/1.5.6i
cc: Josef Karthauser <joe@freebsd.org>
cc: freebsd-current@freebsd.org
Subject: Re: Call for a hacker.... security.bsd.see_other_uids in jails only
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2004 08:14:34 -0000

On Fri, May 21, 2004 at 10:02:18AM +0200, Pawel Jakub Dawidek wrote:
P> Implementation wouldn't be probably too hard, but I can't agree it should
P> be committed. We need to know where jail's virtualization ends and I think
P> it is too far. Of course it will be cool to have those sysctl on per-jail
P> basics, as well as others from security.bsd. tree
P> (like security.bsd.suser_enabled), but I'm not sure this is the right way
P> to go.
P> 
P> Any other opinions? If someone convince me we should do it, I can do it.

A more general solution will be better, but harder to implement: make
some sysctl branches (e.g. security.bsd) local per jail, and possibility to
change them only from host machine.

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE