Date: Tue, 10 May 2011 20:21:57 +0100 From: Jamie Landeg Jones <jamie@bishopston.net> To: des@des.no, bakul@bitblocks.com Cc: jamie@bishopston.net, jhell@DataIX.net, feld@feld.me, edhoprima@gmail.com, freebsd-security@freebsd.org, phk@phk.freebsd.dk, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) Message-ID: <201105101921.p4AJLvQL086908@catflap.bishopston.net> In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. Haha, all talking about kernel hacks and so on, and yet, to me, that seems the simplest, but ALSO, the most elegent solution. I'd have some override flag that could be set for those who's jails are directly under an important folder, e.g. /usr/my-jail-name/ so that those unable to change straight away can set an rc/sysctl flag rather than have to hack the code.. Is this turning into a bikeshed discussion?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105101921.p4AJLvQL086908>