From owner-freebsd-hackers Wed Apr 25 12:27:20 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E88F137B43E for ; Wed, 25 Apr 2001 12:27:15 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f3PJRDj29370; Wed, 25 Apr 2001 12:27:13 -0700 (PDT) Date: Wed, 25 Apr 2001 12:27:13 -0700 From: Alfred Perlstein To: Matt Dillon Cc: Poul-Henning Kamp , hackers@FreeBSD.ORG Subject: Re: Idea for additional feature for jail - jailed security level Message-ID: <20010425122712.P1790@fw.wintelcom.net> References: <74643.988226120@critter> <200104251923.f3PJNcD41451@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104251923.f3PJNcD41451@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Apr 25, 2001 at 12:23:38PM -0700 X-all-your-base: are belong to us. Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Matt Dillon [010425 12:24] wrote: > > But if we have the ability to run at a higher securelevel inside a jail > we can allow console-root logins to access the system at the global > securelevel of -1 yet force every single other login to the system and > *ALL* services to run inside a jail (chroot to "/" essentially) with > a higher securelevel. > > Enforcing the securelevel combined with the use of chflags inside > a prison, plus idea #2, gives us much more flexibility then the > hardwired restrictions jail() currently employs. That's a really cool idea, you should talk to Robert Watson who's working on "jailNG" though. -- -Alfred Perlstein - [alfred@freebsd.org] Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message