Re[3]: SSHD in JAIL

From: Paulo Fragoso (paulo@nlink.com.br)
Date: 08/07/01

• Next message: Fernando Schapachnik: "Re: ssh keepalive and dynamic rules"
• Previous message: Igor Podlesny: "Re[3]: SSHD in JAIL"
• In reply to: Igor Podlesny: "Re[3]: SSHD in JAIL"
• Next in thread: Chris Knight: "RE: SSHD in JAIL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 7 Aug 2001 08:55:27 -0300 (BRT)
From: Paulo Fragoso <paulo@nlink.com.br>
To: Igor Podlesny <poige@morning.ru>

On Tue, 7 Aug 2001, Igor Podlesny wrote:

>
> a cite from MAN:
> Inside the prison, the concept of "superuser" is very diluted. In gen-
> eral, it can be assumed that nothing can be mangled from inside a prison
> which does not exist entirely inside that prison. For instance the
> directory tree below ``path'' can be manipulated all the ways a root can
> normally do it, including ``rm -rf /*'' but new device special nodes can-
> not be created because they reference shared resources (the device
> drivers in the kernel).
>
> so it's becoming too redundant to use nodev with jail(2), don't you
> agree?

Yes, I agree.

Thanks,
Paulo Fragoso.

>
> > On Mon, 6 Aug 2001, Paulo Fragoso wrote:
>
> >> I was thinking if jail dir mounted on file system with "nodev" it will
> >> more secure. Anyone colud acess any disks in the jails enviroment. Is it
> >> all right?
>
> > yes, but you don't have to create all those disk device nodes. And of
> > course you can't create a device node inside jail itself.
>
> > *** WBR, Alexey Zakirov (frank@agava.com)
>
> --
> Igor mailto:poige@morning.ru
> http://morning.ru/~poige
>
>

-- 
   __O
 _-\<,_     Why drive when you can bike?
(_)/ (_)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Fernando Schapachnik: "Re: ssh keepalive and dynamic rules"
• Previous message: Igor Podlesny: "Re[3]: SSHD in JAIL"
• In reply to: Igor Podlesny: "Re[3]: SSHD in JAIL"
• Next in thread: Chris Knight: "RE: SSHD in JAIL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re[3]: SSHD in JAIL ... which does not exist entirely inside that prison. ... Anyone colud acess any disks in the jails enviroment. ... but you don't have to create all those disk device nodes. ... (FreeBSD-Security) Re: has anyone installed 5.1 from a SCSI CD? ... >all the disk device nodes have charcater device entries in /dev. ... 'block' vs 'character' has nothing to do with random or sequential ... (freebsd-hackers) Re[2]: SSHD in JAIL ... Anyone colud acess any disks in the jails enviroment. ... but you don't have to create all those disk device nodes. ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint