raw socket+prison warning
Christian S.J. Peron
csjp at freebsd.org
Mon May 31 17:30:39 PDT 2004
For those of you not subscribed to src-committers at FreeBSD.org,
cvs-src at FreeBSD.org or cvs-all at FreeBSD.org, I just committed
a warning note in jail(8) for the security.jail.allow_raw_sockets
sysctl MIB about the risks of enabling raw sockets in prisons.
Because raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties. As such, by default this option is disabled.
A few others and I are currently auditing the kernel
source code to ensure that the use of raw sockets by
privledged prison users is safe.
--
Christian S.J. Peron
csjp at FreeBSD.org
FreeBSD committer
More information about the freebsd-current
mailing list