From owner-freebsd-security  Thu Aug 23  6:40:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.needhams.com (mail.needhams.com [209.63.39.71])
	by hub.freebsd.org (Postfix) with SMTP id C8E6D37B40D
	for <freebsd-security@freebsd.org>; Thu, 23 Aug 2001 06:40:51 -0700 (PDT)
	(envelope-from shannon@needhams.com)
Received: (qmail 13962 invoked from network); 23 Aug 2001 13:40:41 -0000
Received: from unknown (HELO shannon) (192.168.3.51)
  by mail.needhams.com with SMTP; 23 Aug 2001 13:40:41 -0000
Message-ID: <00b001c12bda$09996fc0$3303a8c0@needhams.com>
From: "Shannon Johnson" <shannon@needhams.com>
To: "Alexey Zakirov" <frank@agava.com>
Cc: <freebsd-security@freebsd.org>
References: <Pine.BSF.4.32.0108231715470.46875-100000@hellbell.domain>
Subject: Re: jail & security
Date: Thu, 23 Aug 2001 06:46:40 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> On Thu, 23 Aug 2001, Alexey Zakirov wrote:
>
> > > no chances. It's a very pain jail feature (weakness). :(
> >
> > I actually disagree. It it possible to limit a users resources within a
>
> sorry, I have to repeat "no chances".
> You CAN'T limit whole jail limits. If I had the superuser priviliges in
> your jail(2) I'd trash your system. You can set users limits but you can't
> resist against root compromise as ASPLinux and UML linux do.

Alexey, correct me if I am wrong, but Igor was asking if it was possible to
limit "resources allocated by  each VM (jail)." I simply addressed it on
this issue and not on "root compromise." That is why I refered him to login
classes.

By the way, it is nice to know that you would trash my system if given root
access within the jail. However, there are ways to prevent people like
yourself from destroying a system (e.g. read only file system, setting the
system immutable flag, etc.)

Remind me to never give you a shell account.

---
Shannon



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message