From owner-freebsd-hackers@FreeBSD.ORG  Sun Mar 13 11:00:47 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3A79916A4CE
	for <freebsd-hackers@freebsd.org>;
	Sun, 13 Mar 2005 11:00:47 +0000 (GMT)
Received: from deliver.smtp.vlink.ru (alias.rigel.internal.vlink.ru
	[217.23.88.17])	by mx1.FreeBSD.org (Postfix) with ESMTP id 9FD2543D62
	for <freebsd-hackers@freebsd.org>;
	Sun, 13 Mar 2005 11:00:45 +0000 (GMT)	(envelope-from dsh@vlink.ru)
Received: from smtp.smtp.vlink.ru (clamav.smtp.vlink.ru [192.168.4.1])
	by deliver.smtp.vlink.ru (Postfix) with ESMTP id 53D854574E;
	Sun, 13 Mar 2005 14:00:43 +0300 (MSK)
Received: from neva.vlink.ru (neva.vlink.ru [217.107.252.29])
	by smtp.smtp.vlink.ru (Postfix) with ESMTP id 2C75745133;
	Sun, 13 Mar 2005 14:00:43 +0300 (MSK)
Received: from neva.vlink.ru (localhost [127.0.0.1])
	by neva.vlink.ru (8.13.3/8.13.3) with ESMTP id j2DB0g2p034879;
	Sun, 13 Mar 2005 14:00:42 +0300 (MSK)
	(envelope-from dsh@vlink.ru)
Received: (from dsh@localhost)
	by neva.vlink.ru (8.13.3/8.13.3/Submit) id j2DB0goR034876;
	Sun, 13 Mar 2005 14:00:42 +0300 (MSK)
	(envelope-from dsh@vlink.ru)
X-Comment-To: Frank Knobbe
To: Frank Knobbe <frank@knobbe.us>
References: <1107178792.613.22.camel@spirit>
	<20050131161006.GD60177@obiwan.tataz.chchile.org>
	<51723.81.84.175.77.1107199764.squirrel@81.84.175.77>
	<1110689557.890.73.camel@localhost>
From: Denis Shaposhnikov <dsh@vlink.ru>
Date: Sun, 13 Mar 2005 14:00:42 +0300
In-Reply-To: <1110689557.890.73.camel@localhost> (Frank Knobbe's message of
 "Sat, 12 Mar 2005 22:52:37 -0600")
Message-ID: <87d5u33j51.fsf@neva.vlink.ru>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp,
 berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: ClamAV using ClamSMTP
cc: freebsd-hackers@freebsd.org
cc: security@revolutionsp.com
Subject: Re: Idea about 'skeleton jail
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2005 11:00:47 -0000

>>>>> "Frank" == Frank Knobbe <frank@knobbe.us> writes:

 Frank> If you nullfs these directories, you loose the ability to
 Frank> prune the jail. Pruning is part of system hardening. I'd

May be it's better to use unionfs, so anybody can replace binaries
with their stub version pre jail.

-- 
DSS5-RIPE DSS-RIPN 2:550/5068@fidonet 2:550/5069@fidonet
mailto:dsh@vlink.ru http://neva.vlink.ru/~dsh/