Date: Thu, 27 Jul 2000 11:35:50 -0600 (MDT) From: "Forrest W. Christian" <forrestc@imach.com> To: Neil Blakey-Milner <nbm@mithrandr.moria.org> Cc: "chem@i-p-d.nl" <chem@i-p-d.nl>, Kenn Martin <kmartin@infoteam.com>, freebsd-isp@FreeBSD.ORG Subject: Re: limiting telnet-users Message-ID: <Pine.BSF.4.21.0007271132420.11695-100000@workhorse.iMach.com> In-Reply-To: <20000727142913.A46061@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Jul 2000, Neil Blakey-Milner wrote: > On Thu 2000-07-27 (00:58), Forrest W. Christian wrote: > > About the only way to confine users to their own little private world is > > chroot. Period. > > ITYM jail(2). I had forgotten jail was in the 4.0 chain. Please modify above sentence to "chroot and jail" > > Chroots are SIGIFICANTLY more difficult to break out of. > > There have been, and are still, ways to get out of chroot. See 'sysctl > kern.chroot_allow_open_directories', for one. Yes - that is correct - but how much more difficult is it for the average unix user to get out of a chroot than some permissions based scheme. The point I was trying to make is that about the only almost-secure way to do this is with something like chroot and jail. Anything else can be defeated with some "simple" ingenuity, as opposed to system-level knowlege for chroot. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007271132420.11695-100000>