From owner-freebsd-hackers@FreeBSD.ORG Wed Sep 22 18:02:29 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63DEE16A4CE for ; Wed, 22 Sep 2004 18:02:29 +0000 (GMT) Received: from mta2.rdslink.ro (emta2.rdslink.ro [193.231.236.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id D991043D67 for ; Wed, 22 Sep 2004 18:02:27 +0000 (GMT) (envelope-from dr.clau@rdslink.ro) Received: (qmail 7693 invoked from network); 22 Sep 2004 17:57:12 -0000 Received: from unknown (HELO mail.rdslink.ro) (193.231.236.20) by emta2.rdslink.ro with SMTP; 22 Sep 2004 17:57:12 -0000 Received: (qmail 12580 invoked from network); 22 Sep 2004 18:01:48 -0000 Received: from unknown (HELO mordor.arsys.ro) (213.157.184.200) by mail.rdslink.ro with SMTP; 22 Sep 2004 18:01:48 -0000 Received: from localhost (jail1 [192.168.0.100]) by mordor.arsys.ro (Postfix) with ESMTP id 5C2F3CFAB3 for ; Wed, 22 Sep 2004 21:02:44 +0300 (EEST) Received: from mordor.arsys.ro ([192.168.0.100]) by localhost (jail1 [192.168.0.100]) (amavisd-new, port 10024) with ESMTP id 22545-05 for ; Wed, 22 Sep 2004 21:02:43 +0300 (EEST) Received: from [82.79.29.15] (unknown [82.79.29.15]) by mordor.arsys.ro (Postfix) with ESMTP id 958EFCFAB1 for ; Wed, 22 Sep 2004 21:02:43 +0300 (EEST) Message-ID: <4151BE12.8040901@rdslink.ro> Date: Wed, 22 Sep 2004 21:01:54 +0300 From: Claudiu Dragalina-Paraipan User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040807) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <1095874809.50307.59.camel@kaiser.sig11.org> In-Reply-To: <1095874809.50307.59.camel@kaiser.sig11.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at arsys.ro Subject: Re: Some questions about jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 18:02:29 -0000 Hi, Matteo Riondato wrote: > Hello hackers! > > I've a few questions about jail(8) and hope you'll be so kind to answer > them =) > > First of all: Why is procfs(5) required inside a jail (speaking about > 5.x and 6) ? " > As procfs is considered deprecated due to its inherent security > risks",why should it be used inside a jail? Maybe some software might not work without it, so it is a good thing to have it around. You don't need to start a jail with procfs, it is your decision. > > Second question: why does an "ifconfig" from inside a jail list every > network card present in the host system? Wouldn't it be better if only > lo0 and the interface with the jail IP are listed ? I think it will, > because it's my personal opinion (please refute me, I can be wrong) that > one jail's purpouses is to fool the jail users, making them believe that > they are inside a real system. I came to this conclusion reading about > security.jail.getfstatroot_only in jail(8). In general, I don't think it is about fooling the jail user. It is about isolating the user or the attacker that manages to get into the jail. I think this is why the jail was initialy created. Also, you might find this link interesting: http://kerneltrap.org/node/view/3075 > > Thank you in advance for your replies. > Best Regards With respect, -- Claudiu Dragalina-Paraipan e-mail: dr.clau@rdslink.ro