Date: Tue, 7 Aug 2001 08:55:27 -0300 (BRT) From: Paulo Fragoso <paulo@nlink.com.br> To: Igor Podlesny <poige@morning.ru> Cc: Alexey Zakirov <frank@agava.com>, <security@FreeBSD.ORG> Subject: Re[3]: SSHD in JAIL Message-ID: <20010807085156.F29899-100000@mirage.nlink.com.br> In-Reply-To: <261958205.20010807142141@morning.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 7 Aug 2001, Igor Podlesny wrote: > > a cite from MAN: > Inside the prison, the concept of "superuser" is very diluted. In gen- > eral, it can be assumed that nothing can be mangled from inside a prison > which does not exist entirely inside that prison. For instance the > directory tree below ``path'' can be manipulated all the ways a root can > normally do it, including ``rm -rf /*'' but new device special nodes can- > not be created because they reference shared resources (the device > drivers in the kernel). > > so it's becoming too redundant to use nodev with jail(2), don't you > agree? Yes, I agree. Thanks, Paulo Fragoso. > > > On Mon, 6 Aug 2001, Paulo Fragoso wrote: > > >> I was thinking if jail dir mounted on file system with "nodev" it will > >> more secure. Anyone colud acess any disks in the jails enviroment. Is it > >> all right? > > > yes, but you don't have to create all those disk device nodes. And of > > course you can't create a device node inside jail itself. > > > *** WBR, Alexey Zakirov (frank@agava.com) > > -- > Igor mailto:poige@morning.ru > http://morning.ru/~poige > > -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010807085156.F29899-100000>