Idea about 'skeleton jail
Pawel Malachowski
pawmal-posting at freebsd.lublin.pl
Mon Jan 31 11:35:20 PST 2005
On Mon, Jan 31, 2005 at 01:29:24PM -0600, security at revolutionsp.com wrote:
> Very nice idea!! This greatly improves jail management on FreeBSD. There
> is a possibility for a minor drawback -- if one can change a system binary
> in the host system, them all jails are compromised -- but assuming one
> would need root access on the host to change the binary, he would have
> power to change any jail anyway, so this is rather redundant.
>
> Great feature here, when can we see this added to the system?
BTW, people are using setups like this for years.
> >> I have already done some experiments. Basically we want the following
> >> directories to be mount_null'ed:
> >> /bin, /sbin, /lib, /libexec, /usr/bin, /usr/sbin, /usr/include,
> >> /usr/lib, /usr/libdata, /usr/libexec, /usr/sbin, /usr/share
--
Paweł Małachowski
More information about the freebsd-hackers
mailing list