From owner-freebsd-bugs Tue Jun 12 18:35:58 2001 Delivered-To: freebsd-bugs@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BA03037B401 for ; Tue, 12 Jun 2001 18:35:54 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id DAA19921; Wed, 13 Jun 2001 03:35:51 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Bill Fumerola Cc: mayres@chimesnet.com, freebsd-bugs@FreeBSD.org Subject: Re: misc/28107: identd does not return usernames while running under a jail. References: <200106130107.f5D17kV90052@freefall.freebsd.org> <20010612201504.J37979@elvis.mu.org> From: Dag-Erling Smorgrav Date: 13 Jun 2001 03:35:50 +0200 In-Reply-To: <20010612201504.J37979@elvis.mu.org> Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bill Fumerola writes: > how is that a feature, what resource is it protecting? Information about sockets owned by processes outside the jail. There's no (non-trivial) way to determine a socket belongs inside or outside a jail - there's no direct mapping from sockets to processes, so you'd have to traverse the process list and scan the file table of every process not in the same jail as inetd(8) to see if the socket is listed there. This is both expensive and invasive, so the best (or at least, simplest) solution is to deny jailed processes access to this information. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message