Date: Mon, 31 Jan 2005 20:39:35 +0100 From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> To: freebsd-hackers@freebsd.org Subject: Re: Idea about 'skeleton jail Message-ID: <20050131193935.GA34986@shellma.zin.lublin.pl> In-Reply-To: <51723.81.84.175.77.1107199764.squirrel@81.84.175.77> References: <1107178792.613.22.camel@spirit> <20050131161006.GD60177@obiwan.tataz.chchile.org> <51723.81.84.175.77.1107199764.squirrel@81.84.175.77>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 31, 2005 at 01:29:24PM -0600, security@revolutionsp.com wrote: > Very nice idea!! This greatly improves jail management on FreeBSD. There > is a possibility for a minor drawback -- if one can change a system binary > in the host system, them all jails are compromised -- but assuming one > would need root access on the host to change the binary, he would have > power to change any jail anyway, so this is rather redundant. > > Great feature here, when can we see this added to the system? BTW, people are using setups like this for years. > >> I have already done some experiments. Basically we want the following > >> directories to be mount_null'ed: > >> /bin, /sbin, /lib, /libexec, /usr/bin, /usr/sbin, /usr/include, > >> /usr/lib, /usr/libdata, /usr/libexec, /usr/sbin, /usr/share -- Paweł Małachowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050131193935.GA34986>