Date: Thu, 21 Apr 2005 13:43:59 +0200 From: Joerg Sonnenberger <joerg@britannica.bec.de> To: freebsd-hackers@freebsd.org Subject: Re: Configuration differences for jails Message-ID: <20050421114359.GA10842@britannica.bec.de> In-Reply-To: <20050421073009.G51738@eleanor.us1.wmi.uvac.net> References: <BAY2-F389017D4F55242220F49FFF22B0@phx.gbl> <20050420135013.GE91329@obiwan.tataz.chchile.org> <20050420151104.GA11753@grummit.biaix.org> <20050420165559.GI91329@obiwan.tataz.chchile.org> <20050421073009.G51738@eleanor.us1.wmi.uvac.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 21, 2005 at 07:39:08AM -0400, c0ldbyte wrote: > Now if that last question is correct and thats the proccess you are using > to create a jail then depending on the situation wouldnt that inturn > defeat some of the main purposes of the jail, like the following. If you > mounted your "/bin" on "/mnt/jail/bin" then if a person that was looking > to break in and effect the system that is currently locked in the "jail" > all he would have to do is just write something to the "jail/bin" which is > actualy your root "/bin" and then the next time a binary is used from your > root directories it could still infect the rest of the system ultimately > defeating the purpose of what you just set up. To my understanding and use > a jail is somewhat totaly independent of the OS that it resides in and > wont be if you are using nullfs to mount root binary directories on it. ro mount as written by grant parent protects against this. Joerg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050421114359.GA10842>