Date: Tue, 7 Aug 2001 14:21:41 +0800 From: Igor Podlesny <poige@morning.ru> To: Alexey Zakirov <frank@agava.com> Cc: Paulo Fragoso <paulo@nlink.com.br>, security@FreeBSD.ORG Subject: Re[3]: SSHD in JAIL Message-ID: <261958205.20010807142141@morning.ru> In-Reply-To: <Pine.BSF.4.32.0108061537530.57640-100000@hellbell.domain> References: <Pine.BSF.4.32.0108061537530.57640-100000@hellbell.domain>
next in thread | previous in thread | raw e-mail | index | archive | help
a cite from MAN:
Inside the prison, the concept of "superuser" is very diluted. In gen-
eral, it can be assumed that nothing can be mangled from inside a prison
which does not exist entirely inside that prison. For instance the
directory tree below ``path'' can be manipulated all the ways a root can
normally do it, including ``rm -rf /*'' but new device special nodes can-
not be created because they reference shared resources (the device
drivers in the kernel).
so it's becoming too redundant to use nodev with jail(2), don't you
agree?
> On Mon, 6 Aug 2001, Paulo Fragoso wrote:
>> I was thinking if jail dir mounted on file system with "nodev" it will
>> more secure. Anyone colud acess any disks in the jails enviroment. Is it
>> all right?
> yes, but you don't have to create all those disk device nodes. And of
> course you can't create a device node inside jail itself.
> *** WBR, Alexey Zakirov (frank@agava.com)
--
Igor mailto:poige@morning.ru
http://morning.ru/~poige
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?261958205.20010807142141>