From owner-freebsd-hackers Sat Nov 16 1:18:12 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1526C37B401 for ; Sat, 16 Nov 2002 01:18:11 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E94143E4A for ; Sat, 16 Nov 2002 01:18:08 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id A88203ABB63; Sat, 16 Nov 2002 10:23:19 +0100 (CET) Date: Sat, 16 Nov 2002 10:23:19 +0100 From: Pawel Jakub Dawidek To: Matthew Dillon Cc: freebsd-hackers@freebsd.org Subject: Re: tty/pty devices not safe in jail? Message-ID: <20021116092319.GR590@garage.freebsd.pl> References: <98485.1037216817@critter.freebsd.dk> <200211132001.gADK188f001694@apollo.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="O3bhLwMadv7h6/J9" Content-Disposition: inline In-Reply-To: <200211132001.gADK188f001694@apollo.backplane.com> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.6-STABLE i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --O3bhLwMadv7h6/J9 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 13, 2002 at 12:01:08PM -0800, Matthew Dillon wrote: +> Would people be interested if I added such a feature? Limit the +> highest allocatable pty to 90% when operating within a jail? e.g. +> if you have 256 ptys both jail and normal tend to allocate ptys=20 +> from the bottom up, but the jail would not be allowed to allocate +> past pty #227. This way if a jail eats all the ptys the sysadmin +> can still ssh in. First of all, there is no such limit in main system (not jailed), so there is always chance to DoS Your machine in this way if You have not-jailed users. So this isn't a complete solution. But if there are no free ptys, I log in via: % ssh -vC /bin/sh --=20 Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. --O3bhLwMadv7h6/J9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPdYOhz/PhmMH/Mf1AQFVuAQApEZb1ZIqWamj6WQIvMh3XD9J5ZKgB8qr tseVstuyZ+ccCTOMkym2kFo+CDKiTjy5I/VZmxgv7QUgGXCS/YHsJDTfLgXwTeSb 2OxC07+S8H2HUGofSsAa70Stk6Wacbh0l61lhoCxfSARwkFYda0Wgi4vrWJBGgYU cCsRoDGi4Lw= =EWhf -----END PGP SIGNATURE----- --O3bhLwMadv7h6/J9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message