New feature exec_afterstart
Dirk Engling
erdgeist at erdgeist.org
Tue Jun 6 16:12:02 PDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
while incorporating some of the jail options grouping stuff into
/etc/rc.d/jail I noticed the introduction of a new feature called
"exec_afterstart".
This has not been discussed here on list but yet was introduced in 1.34
and is going to be MFCed somewhere around soon.
When googling around I found this:
http://www.freebsd.org/cgi/query-pr.cgi?pr=97697
I do not see, what this approach yields that cannot simply be
accomplished by a second jail on the same jailroot/IP-combination,
correct me, if I am wrong. Further I can not see, what /bin/sh
introduces in terms of system (in)security that will not happen to you
if you have syscalls.
The patch introduces the same ugly enumeration style that already sucks
in the ifconfig rc script and should be deprecated. Correct me, if I am
wrong.
So I'd strongly vote to not to MFC but rather remove this feature.
Btw.: Where do these kinds of discussions normally take place? I mean
before things are committed.
Regards
erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
iD8DBQFEhgTwImmQdUyYEgkRArG7AJ9jDlwuq9jsfq+97oMirf3NBDqQDACbB051
HZm2ibjGGHMbriiwrGIjDt8=
=fd4p
-----END PGP SIGNATURE-----
More information about the freebsd-rc
mailing list