Any patch for ICMP in a jail?
Terry Lambert
tlambert2 at mindspring.com
Mon Aug 4 10:54:31 PDT 2003
Brad Knowles wrote:
> At 8:35 AM -0400 2003/08/04, Robert Watson wrote:
> > The best short-term suggestion would be to write a
> > privilege-separated ping tool -- a pingd running outside the jail,
> > providing UNIX domain sockets in each jail that needs the ability to ping;
> > ping then becomes a client that RPC's to pingd.
>
> It strikes me that this is probably a better solution to the
> problem regardless of whether or not you are in a jail. By carefully
> controlling the RPC interface, you should be able to reduce the
> security exposure, simplify pingd, and bring more of the complex
> logic into the unprivileged ping client.
>
> This would also allow you to apply the same solution for jail vs.
> non-jail environments.
>
> Is this a future enhancement that we can realistically look forward to?
You would either lose or overexpose root-restricted functionality,
such as flood-ping.
-- Terry
More information about the freebsd-current
mailing list