Date: Wed, 22 Sep 2004 21:01:54 +0300 From: Claudiu Dragalina-Paraipan <dr.clau@rdslink.ro> To: freebsd-hackers@freebsd.org Subject: Re: Some questions about jails Message-ID: <4151BE12.8040901@rdslink.ro> In-Reply-To: <1095874809.50307.59.camel@kaiser.sig11.org> References: <1095874809.50307.59.camel@kaiser.sig11.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Matteo Riondato wrote: > Hello hackers! > > I've a few questions about jail(8) and hope you'll be so kind to answer > them =) > > First of all: Why is procfs(5) required inside a jail (speaking about > 5.x and 6) ? " > As procfs is considered deprecated due to its inherent security > risks",why should it be used inside a jail? Maybe some software might not work without it, so it is a good thing to have it around. You don't need to start a jail with procfs, it is your decision. > > Second question: why does an "ifconfig" from inside a jail list every > network card present in the host system? Wouldn't it be better if only > lo0 and the interface with the jail IP are listed ? I think it will, > because it's my personal opinion (please refute me, I can be wrong) that > one jail's purpouses is to fool the jail users, making them believe that > they are inside a real system. I came to this conclusion reading about > security.jail.getfstatroot_only in jail(8). In general, I don't think it is about fooling the jail user. It is about isolating the user or the attacker that manages to get into the jail. I think this is why the jail was initialy created. Also, you might find this link interesting: http://kerneltrap.org/node/view/3075 > > Thank you in advance for your replies. > Best Regards With respect, -- Claudiu Dragalina-Paraipan e-mail: dr.clau@rdslink.ro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4151BE12.8040901>