Date: Fri, 17 Aug 2007 10:07:36 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: mal content <artifact.one@googlemail.com> Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jailed X applications Message-ID: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> In-Reply-To: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting mal content <artifact.one@googlemail.com> (from Fri, 17 Aug =20 2007 06:10:39 +0100): This is better suited for freebsd-jail@ (CCed), please remove =20 freebsd-security@ on reply to move the discussion there. > Has anyone here ever successfully set up a jail for X apps, connecting > to an external X server? I'm trying an experimental sandbox setup here. I have my X server itself in a jail (needs a kernel patch and some =20 devfs rules), and in the past connected to a jail and started a X11 =20 programm there... IIRC. > I have a jail running on an aliased IP on my local machine and X > programs connect out of the jail to my local X server via an SSH > tunneled TCP connection. All other packets to and from the jail are > denied by the packet filter. The trouble I am having is that many > applications (all X apps so far and a few of the SSH tools) try to open > and read from /dev/tty, which clearly isn't going to happen: ssh uses a tty (pty?), but normally you have some in a jail. How do =20 you start the jail? There should be devfs mounted in the jail. Bye, Alexander. --=20 "How do I love thee? My accumulator overflows." http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070817100736.8291zwehpcgc4444>