Date: Thu, 23 Aug 2001 17:23:54 +0400 (MSD) From: Alexey Zakirov <frank@agava.com> To: Shannon Johnson <shannon@designcurve.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: jail & security Message-ID: <Pine.BSF.4.32.0108231715470.46875-100000@hellbell.domain> In-Reply-To: <004401c12bd5$21918d60$3303a8c0@needhams.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Aug 2001, Shannon Johnson wrote: > > no chances. It's a very pain jail feature (weakness). :( > > I actually disagree. It it possible to limit a users resources within a sorry, I have to repeat "no chances". You CAN'T limit whole jail limits. If I had the superuser priviliges in your jail(2) I'd trash your system. You can set users limits but you can't resist against root compromise as ASPLinux and UML linux do. > jail. You can use login classes in a jail just as you can outside it. See sure, I do it. > I have used it extensively both at work and home and am very impressed with > both the security and flexibility of a FreeBSD jail. As with all things in I had to fix several shell servers to fix kernel signal race exploit. jail(2) didn't help me in that case. > some binaries (e.g. Linux), however, please make sure that if you are > running a 4.2 and 3.x system, make sure that you have the patch for the > procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html The most important patch IMO is the kern/18209. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0108231715470.46875-100000>