From owner-freebsd-jail@FreeBSD.ORG Thu Jun 9 09:19:13 2011 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 153131065673 for ; Thu, 9 Jun 2011 09:19:13 +0000 (UTC) (envelope-from andrey.groshev@yartv.ru) Received: from forward9.mail.yandex.net (forward9.mail.yandex.net [77.88.61.48]) by mx1.freebsd.org (Postfix) with ESMTP id BE0AD8FC1A for ; Thu, 9 Jun 2011 09:19:12 +0000 (UTC) Received: from smtp9.mail.yandex.net (smtp9.mail.yandex.net [77.88.61.35]) by forward9.mail.yandex.net (Yandex) with ESMTP id 4E3A9CE3107 for ; Thu, 9 Jun 2011 13:03:48 +0400 (MSD) Received: from greenx.yartelenet.ru (greenx.yartelenet.ru [94.158.8.2]) by smtp9.mail.yandex.net (Yandex) with ESMTPSA id 24EDA4BA009E for ; Thu, 9 Jun 2011 13:03:48 +0400 (MSD) Message-ID: <4DF08C73.6010308@yartv.ru> Date: Thu, 09 Jun 2011 13:03:47 +0400 From: Andrey Groshev User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.17) Gecko/20110504 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Yandex-Spam: 1 Cc: Subject: Changes in /etc/rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2011 09:19:13 -0000 Hello All! The other day, looking in "/etc/rc.d/jail" saw the change that would not like to be ignored. After seeing comments in the CVS, I thought that people understand the addition of "&" how to add a parallel load prisons. This is done not for this! The fact is that last year I wrote a kern/139422. The essence is as follows: For example, a hacked jail. An attacker puts in jail is never ending start script (like while true ;....). The next time you restart the parent system, the subsystem will start after / etc / rc.d / jail did not start. # rcorder /etc/rc.d/* ...... 130 /etc/rc.d/jail 131 /etc/rc.d/localpkg 132 /etc/rc.d/securelevel 133 /etc/rc.d/power_profile 134 /etc/rc.d/othermta 135 /etc/rc.d/nfscbd 136 /etc/rc.d/natd 137 /etc/rc.d/msgs 138 /etc/rc.d/moused 139 /etc/rc.d/mixer 140 /etc/rc.d/inetd 141 /etc/rc.d/hostapd 142 /etc/rc.d/gptboot 143 /etc/rc.d/geli2 144 /etc/rc.d/ftpd 145 /etc/rc.d/ftp-proxy 146 /etc/rc.d/dhclient 147 /etc/rc.d/bsnmpd 148 /etc/rc.d/bridge 149 /etc/rc.d/bluetooth 150 /etc/rc.d/bgfsck 151 /etc/rc.d/addswap Ieparent system may not be workable. Therefore, IMHO, or should go back to the originally done (as in version 1.44), or default allow "parallel" booting, or come up with a plan "B". Best regards, Andrey Groshev aka GreenX.