From owner-freebsd-current@FreeBSD.ORG  Tue Aug  5 04:51:13 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E59F137B401
	for <current@freebsd.org>; Tue,  5 Aug 2003 04:51:13 -0700 (PDT)
Received: from gw.celabo.org (gw.celabo.org [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 39F0843F75
	for <current@freebsd.org>; Tue,  5 Aug 2003 04:51:13 -0700 (PDT)
	(envelope-from nectar@celabo.org)
Received: from madman.celabo.org (madman.celabo.org [10.0.1.111])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK))
	by gw.celabo.org (Postfix) with ESMTP
	id A362254840; Tue,  5 Aug 2003 06:51:12 -0500 (CDT)
Received: by madman.celabo.org (Postfix, from userid 1001)
	id 3BBBF6D455; Tue,  5 Aug 2003 06:51:12 -0500 (CDT)
Date: Tue, 5 Aug 2003 06:51:12 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Terry Lambert <tlambert2@mindspring.com>
Message-ID: <20030805115112.GA13555@madman.celabo.org>
References: <Pine.NEB.3.96L.1030804083230.49165B-100000@fledge.watson.org>
	<a0600120fbb5404c90190@[10.0.1.2]> <3F2E9D7F.AFEFF672@mindspring.com>
	<20030804212340.GD10339@madman.celabo.org> <3F2F8D3B.7542C2A1@mindspring.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3F2F8D3B.7542C2A1@mindspring.com>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.4i-ja.1
cc: current@freebsd.org
Subject: Re: Any patch for ICMP in a jail?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2003 11:51:14 -0000

On Tue, Aug 05, 2003 at 03:55:55AM -0700, Terry Lambert wrote:
> Through the credential passing?  I thought that wasn't reliable
> for this type of thing.  Specifically, the jail would be in an
> untrusted protection domain; if you just accepted the credential
> blindly, then anyone could be root in the jail, and you could not
> trust it.
> 
> If you didn't accept it blindly, then regular root loses existing
> functionality.
> 
> I'm pretty sure that, at least the last time I looke at it, the
> credential passing code didn't pass information about jail status.
[deletia]

Sorry, you are right.  Despite the subject line, I wasn't thinking of
jails at this point, but just of removing the setuid bit from ping.

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se