From owner-freebsd-security Thu Aug 23 6:44: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from backfire.skif.net (backfire.skif.net [195.58.224.34]) by hub.freebsd.org (Postfix) with ESMTP id 3C78A37B410 for ; Thu, 23 Aug 2001 06:43:58 -0700 (PDT) (envelope-from simplyi@skif.net) Received: from brick.dol.donetsk.ua (office-noc-128K.skif.net [195.58.225.122]) by backfire.skif.net (8.11.6/8.11.6) with ESMTP id f7NDhsS25298 for ; Thu, 23 Aug 2001 16:43:54 +0300 (EEST) Received: from simplyi2 (simplyi.skif.net [195.58.224.69]) by brick.dol.donetsk.ua (8.9.3/8.9.3) with SMTP id QAA10503 for ; Thu, 23 Aug 2001 16:43:47 +0300 (EEST) (envelope-from simplyi@skif.net) Message-ID: <002901c12bd9$d7ecc300$45e03ac3@skif.net> From: "Igor Melnichuk" To: References: <004401c12bd5$21918d60$3303a8c0@needhams.com> Subject: Re: jail & security Date: Thu, 23 Aug 2001 16:45:11 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > no chances. It's a very pain jail feature (weakness). :( > > I actually disagree. It it possible to limit a users resources within a > jail. You can use login classes in a jail just as you can outside it. See > login.conf(5) > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf 100% true and it works fine. But You can't restrict 'root' in case when You have to delegate this privileges to somebody (to make customization of apache for instance). Such user can always override 'login.conf' so this is not 'perfect' solution. I prefer 'system' control. igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message