From owner-cvs-src@FreeBSD.ORG Fri Mar 17 06:18:28 2006 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A51EF16A41F; Fri, 17 Mar 2006 06:18:28 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E44443D45; Fri, 17 Mar 2006 06:18:25 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.18]) by mx.nitro.dk (Postfix) with ESMTP id 32C5F2D48EE; Fri, 17 Mar 2006 06:18:06 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id A04DB11432; Fri, 17 Mar 2006 07:18:16 +0100 (CET) Date: Fri, 17 Mar 2006 07:18:16 +0100 From: "Simon L. Nielsen" To: "Jesus R. Camou" Message-ID: <20060317061815.GA859@zaphod.nitro.dk> References: <200603161431.k2GEVZiP074949@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X" Content-Disposition: inline In-Reply-To: <200603161431.k2GEVZiP074949@repoman.freebsd.org> User-Agent: Mutt/1.5.11 Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/jail jail.8 X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 06:18:28 -0000 --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.03.16 14:31:35 +0000, Jesus R. Camou wrote: > jcamou 2006-03-16 14:31:35 UTC >=20 > FreeBSD src repository (doc committer) >=20 > Modified files: > usr.sbin/jail jail.8=20 > Log: > Do `mount_devfs' when starting a jail. That is a very bad idea without further explaining the risks, since it will allow root in the jail more or less full access to the entire system since several non-safe device node are exported like disk and memory devices. To mount a devfs safely inside devfs rules must be set up. Could you please add a big warning, or even better, the commads to setup devfs rules for a jail /dev, like is done by the jail rc.d script? See also http://cvsweb.freebsd.org/src/usr.sbin/jail/jail.8#rev1.44 --=20 Simon L. Nielsen --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEGlSnh9pcDSc1mlERAhz7AJ9KDIxXeTdIYFzZi3VtaLJEA2X6eQCgwKw0 zlK9PaqidCtgkc2Fx0jzPfs= =qUs7 -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X--