From owner-freebsd-security  Thu Aug 23  6:46:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from elvis.mu.org (elvis.mu.org [216.33.66.196])
	by hub.freebsd.org (Postfix) with ESMTP id 5841E37B406
	for <freebsd-security@freebsd.org>; Thu, 23 Aug 2001 06:46:49 -0700 (PDT)
	(envelope-from bright@elvis.mu.org)
Received: by elvis.mu.org (Postfix, from userid 1192)
	id 509DF81D06; Thu, 23 Aug 2001 08:46:49 -0500 (CDT)
Date: Thu, 23 Aug 2001 08:46:49 -0500
From: Alfred Perlstein <bright@mu.org>
To: Shannon Johnson <shannon@needhams.com>
Cc: Alexey Zakirov <frank@agava.com>, freebsd-security@freebsd.org
Subject: Re: jail & security
Message-ID: <20010823084649.A81307@elvis.mu.org>
References: <Pine.BSF.4.32.0108231715470.46875-100000@hellbell.domain> <00b001c12bda$09996fc0$3303a8c0@needhams.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <00b001c12bda$09996fc0$3303a8c0@needhams.com>; from shannon@needhams.com on Thu, Aug 23, 2001 at 06:46:40AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

* Shannon Johnson <shannon@needhams.com> [010823 08:41] wrote:
> > On Thu, 23 Aug 2001, Alexey Zakirov wrote:
> >
> > > > no chances. It's a very pain jail feature (weakness). :(
> > >
> > > I actually disagree. It it possible to limit a users resources within a
> >
> > sorry, I have to repeat "no chances".
> > You CAN'T limit whole jail limits. If I had the superuser priviliges in
> > your jail(2) I'd trash your system. You can set users limits but you can't
> > resist against root compromise as ASPLinux and UML linux do.
> 
> Alexey, correct me if I am wrong, but Igor was asking if it was possible to
> limit "resources allocated by  each VM (jail)." I simply addressed it on
> this issue and not on "root compromise." That is why I refered him to login
> classes.
> 
> By the way, it is nice to know that you would trash my system if given root
> access within the jail. However, there are ways to prevent people like
> yourself from destroying a system (e.g. read only file system, setting the
> system immutable flag, etc.)
> 
> Remind me to never give you a shell account.

Alexey is wrong in stating 'You CAN'T limit whole jail limits.' you
actually can given the right patches to the jail subsystem. :)

-- 
-Alfred Perlstein [alfred@freebsd.org]
Ok, who wrote this damn function called '??'?
And why do my programs keep crashing in it?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message