From owner-freebsd-security Sat Dec 19 03:15:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA26205 for freebsd-security-outgoing; Sat, 19 Dec 1998 03:15:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA26200 for ; Sat, 19 Dec 1998 03:15:19 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id MAA36265; Sat, 19 Dec 1998 12:00:53 +0100 (CET) To: Don Lewis cc: "Marco Molteni" , "Jordan K. Hubbard" , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-reply-to: Your message of "Fri, 18 Dec 1998 22:41:45 PST." <199812190641.WAA11564@salsa.gv.tsc.tdk.com> Date: Sat, 19 Dec 1998 12:00:53 +0100 Message-ID: <36263.914065253@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >} The basic concept is that root is only root in a jail if the filesystem >} protects the rest of the system, otherwise he isn't. For instance he >} can change the owner or modes on a file, but he cannot change IP# on >} an interface. He can bind to a priviledged TCP port, but only on the >} IP# which belongs to the jail. And so forth. Works pretty well. > >The IP restrictions would be very handy for some of the stuff that I do. > >Can a process in jail kill() a process outside jail? Can the compartments >nest? No & no. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message