From owner-freebsd-security@FreeBSD.ORG Tue May 18 01:35:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61D0716A4CE for ; Tue, 18 May 2004 01:35:29 -0700 (PDT) Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D0F343D62 for ; Tue, 18 May 2004 01:35:28 -0700 (PDT) (envelope-from gsutter@zer0.org) Received: from localhost (localhost [127.0.0.1]) by mail1.zer0.org (Postfix) with ESMTP id 34FDC239AE3; Tue, 18 May 2004 01:35:28 -0700 (PDT) Received: from mail1.zer0.org ([127.0.0.1]) by localhost (klapaucius.zer0.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97006-05; Tue, 18 May 2004 01:35:28 -0700 (PDT) Received: by mail1.zer0.org (Postfix, from userid 1001) id 0807A239AE0; Tue, 18 May 2004 01:35:28 -0700 (PDT) Date: Tue, 18 May 2004 01:35:27 -0700 From: Gregory Sutter To: Norberto Meijome Message-ID: <20040518083527.GE73800@klapaucius.zer0.org> References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> <40A8C4A9.2000705@mindspring.com> <40A993F0.2040806@meijome.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7CZp05NP8/gJM8Cl" Content-Disposition: inline In-Reply-To: <40A993F0.2040806@meijome.net> Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-PGP-Fingerprint: D161 E4EA 4BFA 2427 F3F9 5B1F 2015 31D5 845D FEDD X-PGP-Key: http://zer0.org/~gsutter/gsutter.pgp X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.5.1i X-Virus-Scanned: by amavisd-new at zer0.org cc: freebsd-security@freebsd.org Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 08:35:30 -0000 --7CZp05NP8/gJM8Cl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004-05-18 14:41 +1000, Norberto Meijome wrote: > Richard Coleman wrote: >=20 > >Using a chroot or a jail is the way to go if possible. If you can't use= =20 > >that, then unix permissions or ACL's is the next bet. Restricting=20 > >commands is the most fragile solution since in many cases it can be=20 > >subverted. >=20 > Excuse my ignorance, could you quickly tell me the difference (or point= =20 > me to a good reference article/book) between chroot + jail? > is it that a jail is always chrooted but not the other way around? > is a jail more encompassing than chroot only? If you had typed "freebsd jail" into Google, this paper would have been the first of several hundred useful links. The answer to your question is in its introduction. http://docs.freebsd.org/44doc/papers/jail/jail.html Greg --=20 Gregory S. Sutter Was Jimi's modem a Purple Hayes? mailto:gsutter@zer0.org=20 http://zer0.org/~gsutter/=20 --7CZp05NP8/gJM8Cl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQFAqcrPIBUx1YRd/t0RAjBVAKCK7VHyRRiOu/9OAS2Pw7kW8wXp+wCfegz6 oAfwPZEqXodpUSJzc64kD54= =GL/a -----END PGP SIGNATURE----- --7CZp05NP8/gJM8Cl--