From owner-freebsd-hackers Thu Feb 27 1:42:41 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDFA237B401 for ; Thu, 27 Feb 2003 01:42:38 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EA3C43FB1 for ; Thu, 27 Feb 2003 01:42:38 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 23C703ABB63; Thu, 27 Feb 2003 10:42:42 +0100 (CET) Date: Thu, 27 Feb 2003 10:42:42 +0100 From: Pawel Jakub Dawidek To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch Message-ID: <20030227094242.GJ330@garage.freebsd.pl> References: <20030226080509.GZ8455@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cy9Nn4fUvYST66Pl" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-PRERELEASE i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cy9Nn4fUvYST66Pl Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 26, 2003 at 02:48:25PM -0800, Mooneer Salem wrote: +> 1. It handles at least case 1 just fine: +>=20 +> %telnet 10.0.0.2 25 +> Trying 10.0.0.2... +> Connected to pacific.lifeafterking.org. [...] +> %telnet 10.0.0.3 25 +> Trying 10.0.0.3... +> Connected to test.lifeafterking.org.. [...] +> %telnet 10.0.0.4 25 +> Trying 10.0.0.4... +> Connected to blah.lifeafterking.org.. Nope, this is incorrect behaviour. INADDR_ANY in jail means: 10.1.1.2 or 10.1.1.3, but not 10.1.1.4. +> 2. Neat. :) I'm going to add sysctls when I get a chance for the mount +> hiding. Also, I'm going to take a look +> at the VFS code and see if I can hide files from non-root non-jailed use= rs. ??? Everything that you can check IMHO is to check every parent directory of opened file if it isn't equal to jail chroot directory. But this is slow and stupid, because there could be many jails with shared chroot directory. +> 3. Does multi-level jailing add any further restrictions to the jails wi= thin +> the jails, besides the standard ones +> imposed? Nope, but jail runned in jail can't use IPs that aren't binded to parent jail and securelevels are checked recursively. --=20 Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. --cy9Nn4fUvYST66Pl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPl3dkj/PhmMH/Mf1AQEJIwQAl4Yr1xLXMWpn5YCDQhbTuM+15U4Ys+zv qwlwFkeDRkPaJVle1W9ihu5HB+TfOwF2TCxXpTTjyqPwmnT1HfWqpVbx/x0ZfYLr D/iZFaFqunXUIGyOfnuHas6RCZ4FCx6Ia2xyvysSkHAy0HRGyXinhMNFQJO/48Bi HL0oeIV+Sho= =3qAo -----END PGP SIGNATURE----- --cy9Nn4fUvYST66Pl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message