Any patch for ICMP in a jail?
Jacques A. Vidrine
nectar at FreeBSD.org
Tue Aug 5 04:51:14 PDT 2003
On Tue, Aug 05, 2003 at 03:55:55AM -0700, Terry Lambert wrote:
> Through the credential passing? I thought that wasn't reliable
> for this type of thing. Specifically, the jail would be in an
> untrusted protection domain; if you just accepted the credential
> blindly, then anyone could be root in the jail, and you could not
> trust it.
>
> If you didn't accept it blindly, then regular root loses existing
> functionality.
>
> I'm pretty sure that, at least the last time I looke at it, the
> credential passing code didn't pass information about jail status.
[deletia]
Sorry, you are right. Despite the subject line, I wasn't thinking of
jails at this point, but just of removing the setuid bit from ping.
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-current
mailing list