Re: Splitting critical libraries from interactive shell in runtime package

On 21/04/2025 18:43, Gordon Tetlow wrote:
> A while ago, I was playing around with building stripped down jails
> based on pkgbase and noticed that /bin/sh and a whole host of
> interactive commands is in the FreeBSD-runtime package. This seemed
> weird to me as my stripped down jail that is intended to run nginx
> should only have the runtime libraries necessary. Including /bin/sh
> and friends is unnecessary and would only enable an attacker to gain
> a foothold more easily. I recall trying to get it more minimal, but
> FreeBSD-runtime is a critical package that must be installed given
> things like PAM and some extremely critical libraries (libz, libcap,
> libutil, etc) are in this package.
Sounds like an interesting idea, but what's the alternative to start 
nginx without /bin/sh for the rc scripts?  How does that work?

	Cheers,

	Matthew