From owner-freebsd-jail@FreeBSD.ORG  Fri Feb 20 19:23:15 2009
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0C89D1065694;
	Fri, 20 Feb 2009 19:23:15 +0000 (UTC) (envelope-from simon@nitro.dk)
Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38])
	by mx1.freebsd.org (Postfix) with ESMTP id BBAA78FC21;
	Fri, 20 Feb 2009 19:23:14 +0000 (UTC) (envelope-from simon@nitro.dk)
Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3])
	by mx.nitro.dk (Postfix) with ESMTP id 1A8AE2E6821;
	Fri, 20 Feb 2009 19:23:14 +0000 (UTC)
Received: by arthur.nitro.dk (Postfix, from userid 1000)
	id 025095C6A; Fri, 20 Feb 2009 20:23:13 +0100 (CET)
Date: Fri, 20 Feb 2009 20:23:13 +0100
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: d@delphij.net
Message-ID: <20090220192312.GD1064@arthur.nitro.dk>
References: <499244E6.9030205@delphij.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <499244E6.9030205@delphij.net>
User-Agent: Mutt/1.5.19 (2009-01-05)
Cc: freebsd-jail@FreeBSD.org, FreeBSD Current <freebsd-current@freebsd.org>,
	freebsd-rc@FreeBSD.org
Subject: Re: [RFC] Skeleton jail (rc.d feature proposal)
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2009 19:23:16 -0000

On 2009.02.10 19:24:22 -0800, Xin LI wrote:

> Ok, some local users has prodded me in committing the "skeleton jail"
> feature, I find it useful myself but not sure if it's appropriate to
> commit it against -HEAD, so I'd like to explain it, try to present it in

This complicates an already complicated etc/rc.d/jail script so I
think this is a very bad idea.  rc.d/jail is already interesting
enough security wise as it is IMO.

If anyone wants this very much think it should be done in an
"external" (to etc/rc.d/jail) jail management system/script.

Personally I have been very happy with ezjail, and I think having a
script like that "externally" is a much better way to go.  If that
means importing ezjail or making something like it I don't know.

-- 
Simon L. Nielsen