From owner-freebsd-security  Mon Aug  6 23:21:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.morning.ru (ns.morning.ru [195.161.98.5])
	by hub.freebsd.org (Postfix) with ESMTP id 5A74737B403
	for <security@FreeBSD.ORG>; Mon,  6 Aug 2001 23:21:43 -0700 (PDT)
	(envelope-from poige@morning.ru)
Received: from NIC1 ([195.161.98.236])
	by ns.morning.ru (8.11.5/8.11.5) with ESMTP id f776LSE51896;
	Tue, 7 Aug 2001 14:21:28 +0800 (KRAST)
Date: Tue, 7 Aug 2001 14:21:41 +0800
From: Igor Podlesny <poige@morning.ru>
X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091
Organization: Morning Network
X-Priority: 3 (Normal)
Message-ID: <261958205.20010807142141@morning.ru>
To: Alexey Zakirov <frank@agava.com>
Cc: Paulo Fragoso <paulo@nlink.com.br>, security@FreeBSD.ORG
Subject: Re[3]: SSHD in JAIL
In-Reply-To: <Pine.BSF.4.32.0108061537530.57640-100000@hellbell.domain>
References: <Pine.BSF.4.32.0108061537530.57640-100000@hellbell.domain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


a cite from MAN:
     Inside the prison, the concept of "superuser" is very diluted.  In gen-
     eral, it can be assumed that nothing can be mangled from inside a prison  
     which does not exist entirely inside that prison.  For instance the       
     directory tree below ``path'' can be manipulated all the ways a root can  
     normally do it, including ``rm -rf /*'' but new device special nodes can- 
     not be created because they reference shared resources (the device        
     drivers in the kernel).                                                   

so  it's  becoming  too redundant to use nodev with jail(2), don't you
agree?

> On Mon, 6 Aug 2001, Paulo Fragoso wrote:

>> I was thinking if jail dir mounted on file system with "nodev" it will
>> more secure. Anyone colud acess any disks in the jails enviroment. Is it
>> all right?

> yes, but you don't have to create all those disk device nodes. And of
> course you can't create a device node inside jail itself.

> *** WBR, Alexey Zakirov (frank@agava.com)

-- 
Igor                            mailto:poige@morning.ru
http://morning.ru/~poige



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message