Date: Thu, 23 Aug 2001 08:46:49 -0500 From: Alfred Perlstein <bright@mu.org> To: Shannon Johnson <shannon@needhams.com> Cc: Alexey Zakirov <frank@agava.com>, freebsd-security@freebsd.org Subject: Re: jail & security Message-ID: <20010823084649.A81307@elvis.mu.org> In-Reply-To: <00b001c12bda$09996fc0$3303a8c0@needhams.com>; from shannon@needhams.com on Thu, Aug 23, 2001 at 06:46:40AM -0700 References: <Pine.BSF.4.32.0108231715470.46875-100000@hellbell.domain> <00b001c12bda$09996fc0$3303a8c0@needhams.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Shannon Johnson <shannon@needhams.com> [010823 08:41] wrote: > > On Thu, 23 Aug 2001, Alexey Zakirov wrote: > > > > > > no chances. It's a very pain jail feature (weakness). :( > > > > > > I actually disagree. It it possible to limit a users resources within a > > > > sorry, I have to repeat "no chances". > > You CAN'T limit whole jail limits. If I had the superuser priviliges in > > your jail(2) I'd trash your system. You can set users limits but you can't > > resist against root compromise as ASPLinux and UML linux do. > > Alexey, correct me if I am wrong, but Igor was asking if it was possible to > limit "resources allocated by each VM (jail)." I simply addressed it on > this issue and not on "root compromise." That is why I refered him to login > classes. > > By the way, it is nice to know that you would trash my system if given root > access within the jail. However, there are ways to prevent people like > yourself from destroying a system (e.g. read only file system, setting the > system immutable flag, etc.) > > Remind me to never give you a shell account. Alexey is wrong in stating 'You CAN'T limit whole jail limits.' you actually can given the right patches to the jail subsystem. :) -- -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010823084649.A81307>