From owner-freebsd-security  Thu Aug 23  6:24: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2])
	by hub.freebsd.org (Postfix) with ESMTP id C931437B40B
	for <freebsd-security@FreeBSD.ORG>; Thu, 23 Aug 2001 06:23:59 -0700 (PDT)
	(envelope-from frank@agava.com)
Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2])
	by relay2.agava.net.ru (Postfix) with ESMTP
	id DEECE43860; Thu, 23 Aug 2001 17:23:56 +0400 (MSD)
Received: from hellbell.domain (hellbell.domain [192.168.1.12])
	by gw.office.agava.ru (Postfix) with ESMTP
	id 2039B6095; Thu, 23 Aug 2001 17:23:55 +0400 (MSD)
Received: from localhost (localhost [127.0.0.1])
	by hellbell.domain (Postfix) with ESMTP
	id BD57DCCEF; Thu, 23 Aug 2001 17:23:54 +0400 (MSD)
Date: Thu, 23 Aug 2001 17:23:54 +0400 (MSD)
From: Alexey Zakirov <frank@agava.com>
X-X-Sender:  <frank@hellbell.domain>
To: Shannon Johnson <shannon@designcurve.net>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: jail & security
In-Reply-To: <004401c12bd5$21918d60$3303a8c0@needhams.com>
Message-ID: <Pine.BSF.4.32.0108231715470.46875-100000@hellbell.domain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, 23 Aug 2001, Shannon Johnson wrote:

> > no chances. It's a very pain jail feature (weakness). :(
>
> I actually disagree. It it possible to limit a users resources within a

sorry, I have to repeat "no chances".
You CAN'T limit whole jail limits. If I had the superuser priviliges in
your jail(2) I'd trash your system. You can set users limits but you can't
resist against root compromise as ASPLinux and UML linux do.

> jail. You can use login classes in a jail just as you can outside it.  See

sure, I do it.

> I have used it extensively both at work and home and am very impressed with
> both the security and flexibility of a FreeBSD jail. As with all things in

I had to fix several shell servers to fix kernel signal race exploit.
jail(2) didn't help me in that case.

> some binaries (e.g. Linux), however, please make sure that if you are
> running a 4.2 and 3.x system, make sure that you have the patch for the
> procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html

The most important patch IMO is the kern/18209.

*** WBR, Alexey Zakirov (frank@agava.com)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message