From owner-freebsd-security Thu Aug 23 11:26:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id 8BB0137B403 for ; Thu, 23 Aug 2001 11:26:26 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id 288F94384D for ; Thu, 23 Aug 2001 22:26:24 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 0C09560DA for ; Thu, 23 Aug 2001 22:26:23 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id CD5F2CCEF for ; Thu, 23 Aug 2001 22:26:22 +0400 (MSD) Date: Thu, 23 Aug 2001 22:26:22 +0400 (MSD) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: jail & security In-Reply-To: <002901c12bd9$d7ecc300$45e03ac3@skif.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Igor Melnichuk wrote: > > jail. You can use login classes in a jail just as you can outside it. See > > login.conf(5) > > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf > > 100% true and it works fine. But You can't restrict 'root' in case when You > have to delegate this privileges to somebody (to make customization of > apache for instance). Such user can always override 'login.conf' so this is yep. you can do it for trusted users. but you can't do it for _untrusted_ users. There is a pretty simple patch that doesn't allow change the limits inside a jail(2), but it also requires very experience to get it safe. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message