Date: Sat, 17 Mar 2001 19:33:41 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: Kris Kennaway <kris@obsecurity.org> Cc: cvs-all@FreeBSD.org Subject: Re: ports enhancement (was: cvs commit: src/sys/netinet ip_output.c) Message-ID: <20010317193341.H20830@speedy.gsinet> In-Reply-To: <20010315122124.B64260@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 15, 2001 at 12:21:24PM -0800 References: <3AAEBD59.1B77E450@originative.co.uk> <200103140045.f2E0jgf15403@vic.sabbo.net> <20010315204101.A20830@speedy.gsinet> <20010315122124.B64260@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 15, 2001 at 12:21 -0800, Kris Kennaway wrote:
> On Thu, Mar 15, 2001 at 08:41:01PM +0100, Gerhard Sittig wrote:
> >
> > [ ... PR ports/22316, running apps in jail(2)s ... ]
>
> I think it would be cool to be able to automatically install
> ports into a populated jail..would be a great way to enhance
> security by partitioning off the system from dodgy ports you
> don't trust. If you want to work more on this we should talk
> :-)
Well, the problem is not really easy (otherwise there already
would be a solution in existence:).
There will not be a "virtualized" lo0 interface inside jails.
And calling it "127.0.0.2 ff" breaks this kind of apps as much as
not having "127.0.0.1" at all. But jail(2) was never meant to be
a VM.
What the above cited PR offers is a) to bundle all the interface
references for this particular port and b) to adjust their values
at *compile* time. It doesn't work for cross compilation and
packaging. That the current determination of the "correct"
values is a hack is not so much of a problem, I guess. It can be
improved easily without touching the actual port. Plus it can
get the values from parameters, as well. Producing this header
file can become part of the regular ports system. But all the
ported software needs to make use of these references instead of
providing hard assumptions or even sprinkling those non fitting
values all over the code files.
The one and only clean solution would be to have the app take a
parameter where to bind to. But speaking of Samba the authors
take availability of "localhost" and "127.0.0.1" as a given fact.
And I'm sure others do so, too. At least they are very tempted
to do so. I had the very same problems with Squid as well as
wwwoffle. Think of your own problems to imagine any IP stack
without a loopback interface ... :)
I guess there's a lot of work to raise awareness among software
authors. Until then there's a whole lot of editing to do. Maybe
patches will even outgrow the actual source in size. :>
But yes I'm willing to spend some of my resources on this kind of
task. Provided I get some better feeling on how useful this is
or if some other method will serve us better. As usual
contributing and being ignored doesn't raise motivation ...
That's where I like rejection much more than silence, no matter
if the original action is done for getting agreement. Seeing how
much time would have been to be spent and that I'm not yet clear
of the direction to head for I'm reluctant to act blindly. Once
there's a direction to follow then let's get cracking!
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010317193341.H20830>