From owner-freebsd-security  Sun Jan  7  9: 8:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id BB3F137B402; Sun,  7 Jan 2001 09:07:59 -0800 (PST)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.1/8.11.1) with SMTP id f07H7v729195;
	Sun, 7 Jan 2001 12:07:57 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 7 Jan 2001 12:07:57 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Evan S <kaworu@sektor7.ath.cx>
Cc: Kris Kennaway <kris@FreeBSD.org>, freebsd-security@FreeBSD.org
Subject: Re: changing kernsecurelevel
In-Reply-To: <Pine.GSO.4.10.10101071151580.5155-100000@wintermute.sekt7>
Message-ID: <Pine.NEB.3.96L.1010107120424.27948F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Sun, 7 Jan 2001, Evan S wrote:

> Mm, Openroot runs on -CURRENT, and users are able to apply those flags
> to files. But, I made a little patch, and it seems to work. They're not
> able to do it anymore. 

Aha.  They can add, but not remove, right?  That probably should be
changed -- feel free to e-mail me a patch and I'll apply as appropriate.

> Other than that I'm happy with the way Jail works. The above was the
> only problem I had. 

Great.  Contributions in this space are always welcome :-).

There is a patch in the PR database, btw, that deals with another problem
with jail() that you might potentially run into: resource limits are
currently global in scope, and not per-jail().  This has positive and
negative aspects, and the patch doesn't address all of the problems that
need to be addressed, I believe.  Really, we'd like to have per-jail
resource limits, and then within that scope per-uid-per-jail limits. 
However, the current resource mechanism is not structured to support this. 
I believe the patch addresses the per-uid-per-jail aspect, but does not
allow the host administrator to specify per-jail limits to bound the
resources allocated to a particular jail.  With the gradual cleanup of
credentials and resources limit structures, as well as a possible eventual
move of the jail pointer into ucred or pcred, this problem will probably
be more easily addressed.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message