Date: Sun, 5 Feb 2006 21:00:44 +0530 From: Joseph Koshy <joseph.koshy@gmail.com> To: =?ISO-8859-1?Q?Bj=F6rn_K=F6nig?= <bkoenig@cs.tu-berlin.de> Cc: Robert Watson <rwatson@freebsd.org>, current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes Message-ID: <84dead720602050730s3fe89785nf142bc99f41b45ba@mail.gmail.com> In-Reply-To: <43E616EF.9020704@cs.tu-berlin.de> References: <43E60708.9000902@cs.tu-berlin.de> <20060205141626.N76666@fledge.watson.org> <43E616EF.9020704@cs.tu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
bk> That means you have to consider that the host environment bk> need to be trustworthy if you use jails and as long as you bk> can't guarantee strict isolation of the host environment bk> from the point of view of unprivileged users it would be bk> the wrong way to obscure jails from these users bk> partially, like I suggested. On FreeBSD 5 and later there is mac_partition(4). You could investigate using setpmac(8) to run processes inside the jail with a different partition label than processes in the host environment. -- FreeBSD Volunteer, http://people.freebsd.org/~jkoshy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84dead720602050730s3fe89785nf142bc99f41b45ba>