Date: Tue, 22 Apr 2025 00:01:32 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-pkgbase@freebsd.org Subject: Re: Splitting critical libraries from interactive shell in runtime package Message-ID: <9eb9d383-101a-49a9-b12e-ee598cc5c7e0@FreeBSD.org> In-Reply-To: <015C4C6B-1CEC-4398-A8B9-CE21E88C617C@tetlows.org>
index | next in thread | previous in thread | raw e-mail
On 21/04/2025 18:43, Gordon Tetlow wrote: > A while ago, I was playing around with building stripped down jails > based on pkgbase and noticed that /bin/sh and a whole host of > interactive commands is in the FreeBSD-runtime package. This seemed > weird to me as my stripped down jail that is intended to run nginx > should only have the runtime libraries necessary. Including /bin/sh > and friends is unnecessary and would only enable an attacker to gain > a foothold more easily. I recall trying to get it more minimal, but > FreeBSD-runtime is a critical package that must be installed given > things like PAM and some extremely critical libraries (libz, libcap, > libutil, etc) are in this package. Sounds like an interesting idea, but what's the alternative to start nginx without /bin/sh for the rc scripts? How does that work? Cheers, Matthewhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9eb9d383-101a-49a9-b12e-ee598cc5c7e0>