Date: Thu, 6 Mar 2014 09:10:33 -0500 From: Shawn Webb <lattera@gmail.com> To: Jason Hellenthal <jhellenthal@dataix.net> Cc: "d@delphij.net" <d@delphij.net>, "secteam@FreeBSD.org" <secteam@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "jamie@FreeBSD.org" <jamie@freebsd.org>, "freebsd-gnats-submit@FreeBSD.org" <freebsd-gnats-submit@freebsd.org>, Nicola Galante <galante@veritas.sao.arizona.edu> Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail Message-ID: <CADt0fhxktYfzzmRNJTDdUu4bHS0f2GVYNtzs6OH%2B8HTGte1kAA@mail.gmail.com> In-Reply-To: <0E7A07FB-FE42-41BE-9FE2-36558C421411@dataix.net> References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org> <5317B597.5050900@delphij.net> <0E7A07FB-FE42-41BE-9FE2-36558C421411@dataix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 6, 2014 at 1:55 AM, Jason Hellenthal <jhellenthal@dataix.net>wrote: > I would also add . . . separate ssh keys and passwords if the user needs > access to both host and jailed systems. This is just common practice and > not a security flaw by any means but an engineering oversight. > > Popsicle sticks also have a security flaw, they let you jab yourself in > the throat if you fall while sucking on them. Solution . . . sit down. One can also use vnet (VIMAGE kernel option) in conjunction with jails to give each jail its own full TCP/IP stack, rather than sharing the TCP/IP stack with the host.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADt0fhxktYfzzmRNJTDdUu4bHS0f2GVYNtzs6OH%2B8HTGte1kAA>