Date: Sat, 12 Mar 2005 22:52:37 -0600 From: Frank Knobbe <frank@knobbe.us> To: security@revolutionsp.com Cc: freebsd-hackers@freebsd.org Subject: Re: Idea about 'skeleton jail Message-ID: <1110689557.890.73.camel@localhost> In-Reply-To: <51723.81.84.175.77.1107199764.squirrel@81.84.175.77> References: <1107178792.613.22.camel@spirit> <20050131161006.GD60177@obiwan.tataz.chchile.org> <51723.81.84.175.77.1107199764.squirrel@81.84.175.77>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-JZY1N/yPymwwI+kavRMc Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2005-01-31 at 13:29 -0600, security@revolutionsp.com wrote: > Very nice idea!! This greatly improves jail management on FreeBSD. There > is a possibility for a minor drawback -- if one can change a system binar= y > in the host system, them all jails are compromised -- but assuming one > would need root access on the host to change the binary, he would have > power to change any jail anyway, so this is rather redundant. Another important drawback is that you can not prune the jail. For example, I prefer to remove "sharp objects" from certain jails for security reasons. There is no need for gcc, ftp and other binaries to reside in a jail when these are not used. These only give an intruder into the jail the tools he needs to bring his scripts in to further hack on the system. If you nullfs these directories, you loose the ability to prune the jail. Pruning is part of system hardening. I'd rather improve the security of a jail than to sacrifice it. Your objectives may differ of course. Cheers, Frank --=-JZY1N/yPymwwI+kavRMc Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCM8cVwBQKb2zelzoRAmRLAKDbNCEz2Zq+Xrl9/6RvCayXXWM2iwCgtIfZ VnFuJY1YkLWKx2d/TzaZIrw= =Aej5 -----END PGP SIGNATURE----- --=-JZY1N/yPymwwI+kavRMc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1110689557.890.73.camel>