From owner-freebsd-security  Tue Aug  7  4:55:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mirage.nlink.com.br (unknown [200.249.195.3])
	by hub.freebsd.org (Postfix) with SMTP id A880137B405
	for <security@FreeBSD.ORG>; Tue,  7 Aug 2001 04:55:33 -0700 (PDT)
	(envelope-from paulo@nlink.com.br)
Received: (qmail 33215 invoked by uid 501); 7 Aug 2001 11:55:27 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 7 Aug 2001 11:55:27 -0000
Date: Tue, 7 Aug 2001 08:55:27 -0300 (BRT)
From: Paulo Fragoso <paulo@nlink.com.br>
To: Igor Podlesny <poige@morning.ru>
Cc: Alexey Zakirov <frank@agava.com>, <security@FreeBSD.ORG>
Subject: Re[3]: SSHD in JAIL
In-Reply-To: <261958205.20010807142141@morning.ru>
Message-ID: <20010807085156.F29899-100000@mirage.nlink.com.br>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 7 Aug 2001, Igor Podlesny wrote:

>
> a cite from MAN:
>      Inside the prison, the concept of "superuser" is very diluted.  In gen-
>      eral, it can be assumed that nothing can be mangled from inside a prison
>      which does not exist entirely inside that prison.  For instance the
>      directory tree below ``path'' can be manipulated all the ways a root can
>      normally do it, including ``rm -rf /*'' but new device special nodes can-
>      not be created because they reference shared resources (the device
>      drivers in the kernel).
>
> so  it's  becoming  too redundant to use nodev with jail(2), don't you
> agree?

Yes, I agree.

Thanks,
Paulo Fragoso.

>
> > On Mon, 6 Aug 2001, Paulo Fragoso wrote:
>
> >> I was thinking if jail dir mounted on file system with "nodev" it will
> >> more secure. Anyone colud acess any disks in the jails enviroment. Is it
> >> all right?
>
> > yes, but you don't have to create all those disk device nodes. And of
> > course you can't create a device node inside jail itself.
>
> > *** WBR, Alexey Zakirov (frank@agava.com)
>
> --
> Igor                            mailto:poige@morning.ru
> http://morning.ru/~poige
>
>

-- 
   __O
 _-\<,_     Why drive when you can bike?
(_)/ (_)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message