Date: Mon, 11 Oct 1999 07:17:21 -0500 From: Jacques Vidrine <n@nectar.com> To: Will Andrews <will@shadow.blackdawn.com> Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: chroot jail in pre 4.0 Message-ID: <19991011121721.5D58C1D8D@bone.nectar.com> In-Reply-To: <19991010204844.A9523@shadow.blackdawn.com> References: <19991008170540.A1618@fever.semiotek.com> <19991010204844.A9523@shadow.blackdawn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Crossposting to -stable and -security, but Reply-To: set to -stable.] On 10 October 1999 at 20:48, Will Andrews <will@shadow.blackdawn.com> wrote: > On Fri, Oct 08, 1999 at 05:05:40PM -0400, Justin Wells wrote: > Actually.. Jacques Vidrine <nectar@FreeBSD.ORG> is in the process of (has > finished?) backporting jail(2,8) to -STABLE. Patches for -STABLE can be found at http://www.nectar.com/freebsd/jail.html. > This is currently being > discussed on freebsd-stable@FreeBSD.ORG. So far, however, I'm pretty > certain that the developers will choose not to commit due to a small > chance that the commit may break binaries (KLD's) built by third-party > vendors (if any). Jacques questions whether there are any or not.. please > see freebsd-stable@FreeBSD.ORG mailing list archives. So far, the community on -STABLE has identified one third-party KLD (from 4Front), but it does not use suser and therefore wouldn't be broken. For the sake of discussion, I've also made a set of patches that retain binary compatibility. It demonstrates the cost of binary compatibility well. One would have to traverse the process list on every call to suser. (You need to access the proc structure to implement the jail functionality, but suser only gets the ucred structure). At the moment, I'm of the opinion that binary compatibility with 3rd party KLDs is unimportant, given the number of KLDs that use suser that I know of (zero). Time will tell if there are more. Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991011121721.5D58C1D8D>