Splitting critical libraries from interactive shell in runtime package
- Reply: Matthew Seaman : "Re: Splitting critical libraries from interactive shell in runtime package"
- Reply: Garrett Wollman : "Re: Splitting critical libraries from interactive shell in runtime package"
- Reply: Lexi Winter : "Re: Splitting critical libraries from interactive shell in runtime package"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Apr 2025 17:43:44 UTC
A while ago, I was playing around with building stripped down jails based on pkgbase and noticed that /bin/sh and a whole host of interactive commands is in the FreeBSD-runtime package. This seemed weird to me as my stripped down jail that is intended to run nginx should only have the runtime libraries necessary. Including /bin/sh and friends is unnecessary and would only enable an attacker to gain a foothold more easily. I recall trying to get it more minimal, but FreeBSD-runtime is a critical package that must be installed given things like PAM and some extremely critical libraries (libz, libcap, libutil, etc) are in this package. So, my proposal/question is, can we split out the critical libraries from the shell and supporting commands in the runtime package so a minimal jail could be properly built via pkgbase? What needs to happen to make that work? Digging around, I found dfr@ asking about this in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273783. There seemed to be agreement from manu@ that making a shell-free environment is a good goal we can support. Thanks, Gordon