Date: Tue, 19 Oct 2010 21:52:25 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Devin Teske <dteske@vicor.com> Cc: Julian Elischer <julian@freebsd.org>, freebsd-rc@freebsd.org Subject: Re: sysrc(8) -- a sysctl(8)-like utility for managing rc.conf(5) Message-ID: <20101019195225.GB2127@garage.freebsd.pl> In-Reply-To: <1287510629.25599.2.camel@localhost.localdomain> References: <1286925182.32724.18.camel@localhost.localdomain> <1286996709.32724.60.camel@localhost.localdomain> <1287448781.5713.3.camel@localhost.localdomain> <1287510629.25599.2.camel@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
--8NvZYKFJsRX2Djef Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 19, 2010 at 10:50:29AM -0700, Devin Teske wrote: > I added `-j jail' for specifying a jail id or name to operate within > (requires jls(8); overrides `-R dir'). [...] Note that operating on jail files from outside a jail is serious security problem. The files from within the jail can be symbolic links that point to files from outside a jail from your perspective. Even chroot(2) to jail's root is neither safe (running applications that can be modified by jail's root is obvious security hole) nor reliable (jail might not have all the commands). The only safe way is to jexec(8) into a jail, but it of course has the same relialability issue as chroot(8). --=20 Pawel Jakub Dawidek http://www.wheelsystems.com pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --8NvZYKFJsRX2Djef Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAky99vgACgkQForvXbEpPzQLFwCfUw7oFcgj8ShqFb9TEz7JbDBg tswAoOUJ8Nr5OXoEUns1J60ozmB/A4UZ =FEUR -----END PGP SIGNATURE----- --8NvZYKFJsRX2Djef--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101019195225.GB2127>