Date: Tue, 15 Dec 1998 12:48:18 +1300 From: Joe Abley <jabley@clear.co.nz> To: Kevin Day <toasty@home.dragondata.com> Cc: freebsd-current@FreeBSD.ORG, jabley@clear.co.nz Subject: Re: modification to exec in the kernel? Message-ID: <19981215124818.A22526@clear.co.nz> In-Reply-To: <199812142331.RAA17203@home.dragondata.com>; from Kevin Day on Mon, Dec 14, 1998 at 05:31:43PM -0600 References: <19981215120357.B11837@clear.co.nz> <199812142331.RAA17203@home.dragondata.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 14, 1998 at 05:31:43PM -0600, Kevin Day wrote: > > I dunno if this fits your requirements or not, but in the past where this > was necessary, i simply put these user's home directories on a volume > mounted with 'noexec'. I looked at that; however, remember the users will have chrooted access to their directories, and within the chrooted tree will be /usr and descendants containing controlled binaries (owned by someone else, e.g. "root") like perl, awk, sh, etc. We were planning to keep them on the same filesystem, and use hard links from the chrooted trees to allow them to appear to the users. The alternative I looked at was to mount the chrooted /usr read-only once for each user into their private tree without noexec, and mount the filesystem containing the user-modifiable stuff with noexec. However, this means we have to mount the same device hundreds of times simultaneously on the same box (or else maintain separate /usr trees on separate filesystems for each user). This all looks like mount bloat. Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981215124818.A22526>