From owner-freebsd-hackers@FreeBSD.ORG Thu Apr 21 11:44:15 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B91A816A4CE for ; Thu, 21 Apr 2005 11:44:15 +0000 (GMT) Received: from hydra.bec.de (www.ostsee-abc.de [62.206.222.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64F1743D3F for ; Thu, 21 Apr 2005 11:44:15 +0000 (GMT) (envelope-from joerg@britannica.bec.de) Received: from britannica.bec.de (wlan032024.uni-rostock.de [139.30.32.24]) by hydra.bec.de (Postfix) with ESMTP id 57F4135707 for ; Thu, 21 Apr 2005 13:44:14 +0200 (CEST) Received: by britannica.bec.de (Postfix, from userid 1001) id D1FEB7D0A; Thu, 21 Apr 2005 13:43:59 +0200 (CEST) Date: Thu, 21 Apr 2005 13:43:59 +0200 From: Joerg Sonnenberger To: freebsd-hackers@freebsd.org Message-ID: <20050421114359.GA10842@britannica.bec.de> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20050420135013.GE91329@obiwan.tataz.chchile.org> <20050420151104.GA11753@grummit.biaix.org> <20050420165559.GI91329@obiwan.tataz.chchile.org> <20050421073009.G51738@eleanor.us1.wmi.uvac.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050421073009.G51738@eleanor.us1.wmi.uvac.net> User-Agent: Mutt/1.5.9i Subject: Re: Configuration differences for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 11:44:15 -0000 On Thu, Apr 21, 2005 at 07:39:08AM -0400, c0ldbyte wrote: > Now if that last question is correct and thats the proccess you are using > to create a jail then depending on the situation wouldnt that inturn > defeat some of the main purposes of the jail, like the following. If you > mounted your "/bin" on "/mnt/jail/bin" then if a person that was looking > to break in and effect the system that is currently locked in the "jail" > all he would have to do is just write something to the "jail/bin" which is > actualy your root "/bin" and then the next time a binary is used from your > root directories it could still infect the rest of the system ultimately > defeating the purpose of what you just set up. To my understanding and use > a jail is somewhat totaly independent of the OS that it resides in and > wont be if you are using nullfs to mount root binary directories on it. ro mount as written by grant parent protects against this. Joerg