Date: Thu, 21 May 2020 14:42:54 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: ihor@antonovs.family, freebsd-security@freebsd.org Subject: Re: Malicious root user sandboxing Message-ID: <6526a9b1-0913-20db-40a7-443623934e06@grosbein.net> In-Reply-To: <26311043.RtLttYiU3N@amos> References: <1641188.rRC0nNcZtX@amos> <442284bc-e137-f5de-aee6-1d5c69e7d3b8@grosbein.net> <26311043.RtLttYiU3N@amos>
next in thread | previous in thread | raw e-mail | index | archive | help
21.05.2020 12:16, Ihor Antonov wrote: > Jails have a lot of drawbacks to. [skip] > I tried jails and was left disappointed. Just use sysutils/ezjail from ports that hides all the hassle and does it all for you, so you need to perform installworld for the host system only. >> Also, shared PAM does not mean duplication of system user database, >> take a look at: man -k pam_|fgrep '(8)' > > The idea was to have a lightweight solution with minimum moving parts. Bringing machinery > like LDAP into this defeats the purpose of the exercise. If you don't like LDAP, use FreeRADIUS and pam_radius. Combined with ezjail, it is most lightweight solution you may currently obtain without writing additional kernel level code.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6526a9b1-0913-20db-40a7-443623934e06>