From owner-freebsd-isp  Thu Jul 27 11:33:19 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89])
	by hub.freebsd.org (Postfix) with ESMTP id EC3D737BD92
	for <freebsd-isp@FreeBSD.ORG>; Thu, 27 Jul 2000 11:33:15 -0700 (PDT)
	(envelope-from forrestc@imach.com)
Received: from localhost (forrestc@localhost)
	by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id LAA15739;
	Thu, 27 Jul 2000 11:35:51 -0600 (MDT)
Date: Thu, 27 Jul 2000 11:35:50 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@imach.com>
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc: "chem@i-p-d.nl" <chem@i-p-d.nl>,
	Kenn Martin <kmartin@infoteam.com>, freebsd-isp@FreeBSD.ORG
Subject: Re: limiting telnet-users
In-Reply-To: <20000727142913.A46061@mithrandr.moria.org>
Message-ID: <Pine.BSF.4.21.0007271132420.11695-100000@workhorse.iMach.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 27 Jul 2000, Neil Blakey-Milner wrote:

> On Thu 2000-07-27 (00:58), Forrest W. Christian wrote:
> > About the only way to confine users to their own little private world is
> > chroot.   Period.
> 
> ITYM jail(2).

I had forgotten jail was in the 4.0 chain.  Please modify above sentence
to "chroot and jail"

> > Chroots are SIGIFICANTLY more difficult to break out of.
> 
> There have been, and are still, ways to get out of chroot.  See 'sysctl
> kern.chroot_allow_open_directories', for one.

Yes - that is correct - but how much more difficult is it for the average
unix user to get out of a chroot than some permissions based scheme.

The point I was trying to make is that about the only almost-secure way to
do this is with something like chroot and jail.   Anything else can be
defeated with some "simple" ingenuity, as opposed to system-level knowlege
for chroot.

- Forrest W. Christian (forrestc@imach.com) AC7DE
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message