From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 13:47:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE4337B401 for ; Mon, 14 Jul 2003 13:47:00 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id F060743F93 for ; Mon, 14 Jul 2003 13:46:57 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 590E43ABB4C; Mon, 14 Jul 2003 22:52:31 +0200 (CEST) Date: Mon, 14 Jul 2003 22:52:31 +0200 From: Pawel Jakub Dawidek To: Uwe Doering Message-ID: <20030714205231.GC4973@garage.freebsd.pl> References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> <3F110290.5060902@geminix.org> <20030714182923.GB4973@garage.freebsd.pl> <3F130FE1.1080308@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2LWaEC9akcLlisSC" Content-Disposition: inline In-Reply-To: <3F130FE1.1080308@geminix.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 20:47:00 -0000 --2LWaEC9akcLlisSC Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 14, 2003 at 10:17:37PM +0200, Uwe Doering wrote: +> >You can check my patch for multiple ips in jails which also fix +> >sockets ordering behaviour. +> > +> > For FreeBSD 4.x: +> > http://garage.freebsd.pl/mijail.tbz +> > http://garage.freebsd.pl/mijail.README +> > For FreeBSD 5.1-CURRENT: +> > http://garage.freebsd.pl/mijail5.tbz +> > http://garage.freebsd.pl/mijail5.README +> > http://garage.freebsd.pl/patches/mijail5.patch +>=20 +> Thanks for the patches. Did you try to contribute them to the FreeBSD= =20 +> project? If so, any reaction so far? Of course I've tried, but as you can see...:) +> >If www pages don't have dynamic elements you can mount them as read-only +> >with mount_null(8) for example. Only logs should be writable, but you +> >need only one directory with 'schg' flag and touch(1)'ed log files +> >inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be remo= ved +> >in jail even if securelevel is <=3D 0. +>=20 +> Just be careful with mount_null(8). You might get away with it=20 +> unscathed if you use it read-only, but you shouldn't try anything else= =20 +> with it. Last time I checked I managed to panic the kernel with it even= =20 +> faster than with mount_union(8), which is badly broken as well (look at= =20 +> the comment at the end of the man pages). I wouldn't recommend using=20 +> either in a production system. You could always try to use NFS on local machine, but those comments from the manual page's end should be removed in 5.x (for unionfs as well). There are developers that work on this - tjr@ on nullfs and das@ on unionfs. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --2LWaEC9akcLlisSC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxMYDz/PhmMH/Mf1AQGVmgP9Hk5oFQGYTMs0NOS9HlVB7XzBOaP831Sb SNEW30tWRfgl0vFrpTRyuY9Ll7fVtJdyAVo84P0fF7hz67KNxwWc6SGuwEfN+PVw pSL0Tof3+y8StM+KcEeTUEEoD2B1zlOQ1frz5Y8a9lpa01xZo7UQVfywcbp+xJ+x 1nbCfwxKxts= =c9LR -----END PGP SIGNATURE----- --2LWaEC9akcLlisSC--