From owner-freebsd-security  Fri Jun 28 15:50: 5 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0484237B49F
	for <freebsd-security@FreeBSD.ORG>; Fri, 28 Jun 2002 15:49:28 -0700 (PDT)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F3A5343FB7
	for <freebsd-security@FreeBSD.ORG>; Fri, 28 Jun 2002 15:30:45 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.12.3/8.12.2) with ESMTP id g5SMSZ6I061316;
	Sat, 29 Jun 2002 00:28:36 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Pat Lashley <patl+freebsd@volant.org>
Cc: FreeBSD Security Mailling List <freebsd-security@FreeBSD.ORG>
Subject: Re: Jailing SSHd [Was: Re: OpenSSH Security (just a question, please no f-war)] 
In-Reply-To: Your message of "Wed, 26 Jun 2002 17:22:53 PDT."
             <2849830000.1025137373@mccaffrey.phoenix.volant.org> 
Date: Sat, 29 Jun 2002 00:28:35 +0200
Message-ID: <61315.1025303315@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In message <2849830000.1025137373@mccaffrey.phoenix.volant.org>, Pat Lashley wr
ites:
>--==========236915482==========
>Content-Type: text/plain; charset=us-ascii; format=flowed
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>
>--On Wednesday, June 26, 2002 09:07:36 PM +0200 Poul-Henning Kamp=20
><phk@critter.freebsd.dk> wrote:
>
>> Which reminds me that we should really tweak the code and put it in a
>> jail instead of a chroot.
>
>Careful there.  Some of us are using SSH to log into jails running virtual
>hosting environments.  The default installation needs to be able to run if
>it is already within a jail when sshd is started.

You could just fall back to chroot(2) if jail(2) failed.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message