Re: Splitting critical libraries from interactive shell in runtime package
- In reply to: Gordon Tetlow : "Splitting critical libraries from interactive shell in runtime package"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 22 Apr 2025 16:39:17 UTC
<<On Mon, 21 Apr 2025 10:43:44 -0700, Gordon Tetlow <gordon@tetlows.org> said: > A while ago, I was playing around with building stripped down jails > based on pkgbase and noticed that /bin/sh and a whole host of > interactive commands is in the FreeBSD-runtime package. This seemed > weird to me as my stripped down jail that is intended to run nginx > should only have the runtime libraries necessary. Including /bin/sh > and friends is unnecessary and would only enable an attacker to gain > a foothold more easily. Part of the functionality of the standard C library is implemented in the shell. You probably don't need any of these functions, and maybe given your security posture you would prefer if they didn't work. POSIX generally requires a shell. I think pkgbase is perhaps not conceived for this application: a shell is not normally thought of as an optional component. -GAWollman