From owner-freebsd-bugs@FreeBSD.ORG  Thu Oct  8 12:11:45 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 15D831065672;
	Thu,  8 Oct 2009 12:11:45 +0000 (UTC) (envelope-from greenx@yartv.ru)
Received: from mail.yartv.ru (smtp.yartv.ru [94.158.0.17])
	by mx1.freebsd.org (Postfix) with ESMTP id C1FE68FC17;
	Thu,  8 Oct 2009 12:11:44 +0000 (UTC)
Received: from greenx.yartelenet.ru (greenx.yartelenet.ru [94.158.0.2])
	by mail.yartv.ru (Postfix) with ESMTP id 8BBBD730CD;
	Thu,  8 Oct 2009 16:06:21 +0400 (MSD)
Message-ID: <4ACDD5B0.5030205@yartv.ru>
Date: Thu, 08 Oct 2009 16:06:08 +0400
From: Andrey Groshev <greenx@yartv.ru>
User-Agent: Thunderbird 2.0.0.23 (X11/20091001)
MIME-Version: 1.0
To: remko@FreeBSD.org
References: <200910081032.n98AWAZd011132@freefall.freebsd.org>
In-Reply-To: <200910081032.n98AWAZd011132@freefall.freebsd.org>
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-bugs@FreeBSD.org
Subject: Re: misc/139422: make the jail safe for the parent system
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 12:11:45 -0000

Even if it not the colleague, and I.
I too can make an error, despite the fact that what I trust myself on 
hundred percent.
Also it turns out that at a successful crack and reception root 
privileges in jail, it is possible to put out of action parent system at 
the following reboot.
Since by default in jail it is started /etc/rc.


remko@FreeBSD.org пишет:
> Synopsis: make the jail safe for the parent system
>
> State-Changed-From-To: open->closed
> State-Changed-By: remko
> State-Changed-When: Thu Oct 8 10:32:10 UTC 2009
> State-Changed-Why: 
> Hello, I think I understand what you ar etrying to say here. But I think
> that only trusted people should be allowed into a jail, as well as with
> a regular server. You could give the user sudo access for specific tasks
> so tht he cannot do everything as highly privileged user. Yes ofcourse
> you might be able to get out of those things if you are creative. The
> question is, where do we put the line. I think that in this case one
> should know what he puts in rc.local, if this is a jail, and you use the
> regular scripts, the 'jail' rc.d will not be used at all. Please discuss
> this further on the questions list, and report to me in case this is
> really a problem. Anyway; thanks for using FreeBSD! It's greatly
> appreciated...
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=139422
>