Date: Mon, 04 Aug 2003 10:53:03 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Brad Knowles <brad.knowles@skynet.be> Cc: current@freebsd.org Subject: Re: Any patch for ICMP in a jail? Message-ID: <3F2E9D7F.AFEFF672@mindspring.com> References: <Pine.NEB.3.96L.1030804083230.49165B-100000@fledge.watson.org> <a0600120fbb5404c90190@[10.0.1.2]>
next in thread | previous in thread | raw e-mail | index | archive | help
Brad Knowles wrote: > At 8:35 AM -0400 2003/08/04, Robert Watson wrote: > > The best short-term suggestion would be to write a > > privilege-separated ping tool -- a pingd running outside the jail, > > providing UNIX domain sockets in each jail that needs the ability to ping; > > ping then becomes a client that RPC's to pingd. > > It strikes me that this is probably a better solution to the > problem regardless of whether or not you are in a jail. By carefully > controlling the RPC interface, you should be able to reduce the > security exposure, simplify pingd, and bring more of the complex > logic into the unprivileged ping client. > > This would also allow you to apply the same solution for jail vs. > non-jail environments. > > Is this a future enhancement that we can realistically look forward to? You would either lose or overexpose root-restricted functionality, such as flood-ping. -- Terry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F2E9D7F.AFEFF672>