From owner-freebsd-arch@FreeBSD.ORG Tue Oct 31 19:33:22 2006 Return-Path: X-Original-To: arch@freebsd.org Delivered-To: freebsd-arch@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D98416A403; Tue, 31 Oct 2006 19:33:22 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id E876443D4C; Tue, 31 Oct 2006 19:33:12 +0000 (GMT) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5E8DA.dip.t-dialin.net [84.165.232.218]) by redbull.bpaserver.net (Postfix) with ESMTP id F0B912E25F; Tue, 31 Oct 2006 20:32:49 +0100 (CET) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by outgoing.leidinger.net (Postfix) with ESMTP id 6761A5B61AB; Tue, 31 Oct 2006 20:32:48 +0100 (CET) Date: Tue, 31 Oct 2006 20:32:47 +0100 From: Alexander Leidinger To: Robert Watson Message-ID: <20061031203247.15787e75@Magellan.Leidinger.net> In-Reply-To: <20061031092122.D96078@fledge.watson.org> References: <20061031092122.D96078@fledge.watson.org> X-Mailer: Sylpheed-Claws 2.5.6 (GTK+ 2.10.6; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.463, required 6, autolearn=not spam, BAYES_00 -2.60, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: arch@FreeBSD.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2006 19:33:22 -0000 Quoting Robert Watson (Tue, 31 Oct 2006 09:43:45 +000= 0 (GMT)): > (2) Sweep of the remaining kernel files, cleaning up privilege checks, > replacing suser()/suser_cred() calls, etc, across the kernel. What about denying access to the dmesg in a jail? I noticed in the run of the periodic scripts in jails that I can see the segfaults of programs in other jails (stock -current, but I haven't seen such a privilege in your list of allowed privileges for a jail). A quick test revealed that I'm able to see the complete dmesg. =46rom an user point of view I don't want to get confused by broken stuff in a jail of someone else (shared hosting) and I don't want to let other people know what programs I run (in case they are failing). Bye, Alexander. --=20 "I suppose the secret to happiness is learning to appreciate the moment." -Calvin http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137