Date: Mon, 1 Jun 2009 03:56:41 +0200 From: Richard Noorlandt <lists.freebsd@gmail.com> To: freebsd-jail@freebsd.org Subject: Re: Implications of allow_raw_sockets=1 Message-ID: <99c92b5f0905311856r4cb9e23apfd36b806b0250f45@mail.gmail.com> In-Reply-To: <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com> References: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/5/31 Justin G. <justin@sigsegv.ca>: > Raw sockets can allow processes to sniff onto the network, craft > malformed packets, execute DDoS attacks, inject packets, among other > things. These are basically things that any non-virtualized server could do on the network. As such, disallowing raw sockets should give higher security than a 'normal' server running FreeBSD without a jail. But does the use of raw sockets open up holes that could allow the root user in a jail to break in on another jail? I'm particularly concerned in attack vectors that wouldn't exist with multiple real hosts connected through a dumb switch (which usually introduces all the risks you mentioned). Best regards, Richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99c92b5f0905311856r4cb9e23apfd36b806b0250f45>