Date: Thu, 14 Feb 2002 23:06:40 -0500 From: Jim Durham <durham@jcdurham.com> To: Chris Faulhaber <jedgar@fxp.org>, Jim Durham <durham@w2xo.pgh.pa.us> Cc: freebsd-security@freebsd.org Subject: Re: Jail question Message-ID: <200202150406.g1F46kl64701@w2xo.pgh.pa.us> In-Reply-To: <20020215000121.GA48563@peitho.fxp.org> References: <Pine.BSF.4.21.0202141430160.25249-100000@w2xo.pgh.pa.us> <20020215000121.GA48563@peitho.fxp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 14 February 2002 07:01 pm, Chris Faulhaber wrote: > On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote: > > I just recently discovered jail and started reading the > > material by phk on how it works. > > > > Ok, you can have a general over-all supervisory root account and > > you can have a root account in each jail. > > > > Let's say you make a jail for each department in a company. > > Suppose you have a situation where you have certain users who > > are not capable of system administration, but, they are supervisors > > who need to be able to read and modify files in all the jails, but > > not modify system config files, etc owned by the jail root account. > > > > How could you accomplish this? > > You can wait until 5.0 is released which has support for filesystem > ACLs allowing finer-grained access control for files :) That sounds like a good answer. I would assume that one could just make everything that is not actually a part of the "real system" part of a jail and apply the ACLs to limit access, thereby protecting the kernel, /etc, /var and so forth from users or intruders? -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202150406.g1F46kl64701>