From owner-freebsd-hackers Wed Apr 25 12:33:13 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 48E1A37B422 for ; Wed, 25 Apr 2001 12:33:11 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3PJX5D41622; Wed, 25 Apr 2001 12:33:05 -0700 (PDT) (envelope-from dillon) Date: Wed, 25 Apr 2001 12:33:05 -0700 (PDT) From: Matt Dillon Message-Id: <200104251933.f3PJX5D41622@earth.backplane.com> To: Alfred Perlstein Cc: Poul-Henning Kamp , hackers@FreeBSD.ORG Subject: Re: Idea for additional feature for jail - jailed security level References: <74643.988226120@critter> <200104251923.f3PJNcD41451@earth.backplane.com> <20010425122712.P1790@fw.wintelcom.net> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Another cool feature, which would be harder to implement, would be to have a secondary path for jail which specifies the path under which filesystem modifications can be made (create files, edit files, etc...), and outside of which only read access is permitted. This way you could create a jail with "/" as the chroot yet which still severely restricts the types of filesystem modifications that may be employed outside of some other directory. With a feature like that it would be fairly easy to run apache inside a jailed environment without having to spend a lot of effort creating the environment. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message