Date: Sun, 15 Feb 2004 11:29:09 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_jail.c Message-ID: <Pine.NEB.3.96L.1040215112750.56481A-100000@fledge.watson.org> In-Reply-To: <20040215162455.GZ14639@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 15 Feb 2004, Pawel Jakub Dawidek wrote: > On Sat, Feb 14, 2004 at 11:19:48AM -0800, Robert Watson wrote: > +> Commiter: Robert Watson <rwatson@FreeBSD.org> > +> Branch: HEAD > +> > +> Files: > +> 1.38 src/sys/kern/kern_jail.c > +> > +> Log: > +> By default, don't allow processes in a jail to list the set of > +> jails in the system. Previous behavior (allowed) may be restored > +> by setting security.jail.list_allowed=1. > > Are you planning to leave this sysctl? IMHO the previous behaviour was > just bad, this was a bug, and restoring this behaviour shouldn't be > permitted. But if this sysctl is just a temporary solution and will be > removed in the future, it is ok (but maybe BURN_BRIDGES should be > added?). > > PS. This functionality is quite fresh, I'm not sure if someone started > to depend on it... Yeah, the interesting question here is whether it was intentional in the first place for a good reason, or just a by-product of the implementation. How about we wait three weeks and see if anyone complains on freebsd-current about the loss of functionality -- if no one says anything, we remove the sysctl? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040215112750.56481A-100000>