Date: Sat, 19 Dec 1998 12:00:53 +0100 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: "Marco Molteni" <molter@tin.it>, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) Message-ID: <36263.914065253@critter.freebsd.dk> In-Reply-To: Your message of "Fri, 18 Dec 1998 22:41:45 PST." <199812190641.WAA11564@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>} The basic concept is that root is only root in a jail if the filesystem >} protects the rest of the system, otherwise he isn't. For instance he >} can change the owner or modes on a file, but he cannot change IP# on >} an interface. He can bind to a priviledged TCP port, but only on the >} IP# which belongs to the jail. And so forth. Works pretty well. > >The IP restrictions would be very handy for some of the stuff that I do. > >Can a process in jail kill() a process outside jail? Can the compartments >nest? No & no. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36263.914065253>