New feature exec_afterstart
Florent Thoumie
flz at FreeBSD.org
Tue Jun 6 17:25:00 PDT 2006
On Wed, 2006-06-07 at 00:42 +0200, Dirk Engling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> while incorporating some of the jail options grouping stuff into
> /etc/rc.d/jail I noticed the introduction of a new feature called
> "exec_afterstart".
>
> This has not been discussed here on list but yet was introduced in 1.34
> and is going to be MFCed somewhere around soon.
>
> When googling around I found this:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=97697
>
> I do not see, what this approach yields that cannot simply be
> accomplished by a second jail on the same jailroot/IP-combination,
> correct me, if I am wrong. Further I can not see, what /bin/sh
> introduces in terms of system (in)security that will not happen to you
> if you have syscalls.
The /bin/sh thing seemed discutable to me but I didn't investigate
enough to ask for backout.
> The patch introduces the same ugly enumeration style that already sucks
> in the ifconfig rc script and should be deprecated. Correct me, if I am
> wrong.
>
> So I'd strongly vote to not to MFC but rather remove this feature.
It still can be discussed now.
> Btw.: Where do these kinds of discussions normally take place? I mean
> before things are committed.
Here and in gnats. See conf and rc PRs.
PS: Matteo and submitter CC'ed.
--
Florent Thoumie
flz at FreeBSD.org
FreeBSD Committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20060607/c5da5650/attachment.pgp
More information about the freebsd-rc
mailing list