cvs commit: src/sys/kern kern_jail.c
Julian Elischer
julian at elischer.org
Sun Feb 15 08:34:29 PST 2004
On Sun, 15 Feb 2004, Robert Watson wrote:
>
> On Sun, 15 Feb 2004, Pawel Jakub Dawidek wrote:
>
> > On Sat, Feb 14, 2004 at 11:19:48AM -0800, Robert Watson wrote:
> > +> Commiter: Robert Watson <rwatson at FreeBSD.org>
> > +> Branch: HEAD
> > +>
> > +> Files:
> > +> 1.38 src/sys/kern/kern_jail.c
> > +>
> > +> Log:
> > +> By default, don't allow processes in a jail to list the set of
> > +> jails in the system. Previous behavior (allowed) may be restored
> > +> by setting security.jail.list_allowed=1.
> >
> > Are you planning to leave this sysctl? IMHO the previous behaviour was
> > just bad, this was a bug, and restoring this behaviour shouldn't be
> > permitted. But if this sysctl is just a temporary solution and will be
> > removed in the future, it is ok (but maybe BURN_BRIDGES should be
> > added?).
> >
> > PS. This functionality is quite fresh, I'm not sure if someone started
> > to depend on it...
>
> Yeah, the interesting question here is whether it was intentional in the
> first place for a good reason, or just a by-product of the implementation.
> How about we wait three weeks and see if anyone complains on
> freebsd-current about the loss of functionality -- if no one says
> anything, we remove the sysctl?
In scripts I use the fact that "df /" in a jail returns the size of
some other filesystem to see if I'm in a jail.
I've asked before for a simple sysctl to let me know if I'm in a jail
but the response was generally -ve..
you sometimes need to be able to know you are in a jail so that you can
know not to attempt things that are not permitted in jails..
(e.g. pings, or ifconfig'ing network interfaces)
>
> Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
> robert at fledge.watson.org Senior Research Scientist, McAfee Research
>
>
>
More information about the cvs-src
mailing list