Need for SysV IPC to be confined to jail instances
Peter Jeremy
peterjeremy at optushome.com.au
Sat Nov 24 13:21:56 PST 2007
On Sat, Nov 24, 2007 at 12:11:18PM +0100, Gabor Tjong A Hung wrote:
>As I came to understand, if you enable jail_sysvipc_allow in rc.conf I am
>defeating the purpose of a jail.
Not totally defeating the purpose but SysV IPC is not jail-aware so
any jailed process can see and affect the global SysV IPC state.
>I got a suggestion that it might be possible to have sys v ipc confined to
>a jail instance and perhaps let it work like a telephone number.
This has come up before. See (eg):
http://www.freebsd.org/cgi/query-pr.cgi?pr=48471
and the thread beginning
http://lists.freebsd.org/pipermail/freebsd-current/2006-April/062261.html
--
Peter Jeremy
Please excuse any delays as the result of my ISP's inability to implement
an MTA that is either RFC2821-compliant or matches their claimed behaviour.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20071124/f35c20dd/attachment.pgp
More information about the freebsd-hackers
mailing list