From owner-freebsd-security Wed Nov 17 10:31:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 883F815047; Wed, 17 Nov 1999 10:31:23 -0800 (PST) (envelope-from dcs@newsguy.com) Received: from newsguy.com ([210.163.200.123]) by peach.ocn.ne.jp (8.9.1a/OCN) with ESMTP id DAA24919; Thu, 18 Nov 1999 03:30:48 +0900 (JST) Message-ID: <3832F11A.6D206BEC@newsguy.com> Date: Thu, 18 Nov 1999 03:16:58 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en,pt-BR,ja MIME-Version: 1.0 To: Yoshinobu Inoue Cc: phk@critter.freebsd.dk, beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? References: <19991110022852N.shin@nd.net.fujitsu.co.jp> <24337.942169052@critter.freebsd.dk> <19991110025853X.shin@nd.net.fujitsu.co.jp> <19991110013913.A5181@enst.fr> <19991117134132S.shin@nd.net.fujitsu.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yoshinobu Inoue wrote: > > -As already commented, checking those addresses which > already specified by other jail'ed processes is necessary. I disagree. The address is specified by the admin of the machine. Letting him shoot himself in the foot is not particular bad, and the test can be performed by the userland tools used to manage the machine. > solution: > Don't specify addresses via jail(2), and let kernel select > any non binded address. > Loop in_ifaddr list and try in_pcblookup_hash() for each > of addresses, just as in_pcbbind does it to search for non > binded port. > > A weak point of this solution is that processes in a same jail > won't be necessariliy binded to a same address, but does it > matters? Ok, question: I "buy" a virtual server on the machine to run an internet daemon of mine. I need the IP to that server to access the daemon. How do the admin of the machine ensures that _my_ jail will have the fixed IP assigned to me always with your solution? -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org "Then again maybe not going to heaven would be a blessing. Relkin liked a certain amount of peace and harmony, since there'd been a pronounced shortage of them in his own life; however, nothing but peace and harmony, forever and forever? He wasn't sure about that. And no beer? Very dubious proposition." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message