Malicious root user sandboxing
Eugene Grosbein
eugen at grosbein.net
Thu May 21 07:43:21 UTC 2020
21.05.2020 12:16, Ihor Antonov wrote:
> Jails have a lot of drawbacks to.
[skip]
> I tried jails and was left disappointed.
Just use sysutils/ezjail from ports that hides all the hassle and does it all for you,
so you need to perform installworld for the host system only.
>> Also, shared PAM does not mean duplication of system user database,
>> take a look at: man -k pam_|fgrep '(8)'
>
> The idea was to have a lightweight solution with minimum moving parts. Bringing machinery
> like LDAP into this defeats the purpose of the exercise.
If you don't like LDAP, use FreeRADIUS and pam_radius.
Combined with ezjail, it is most lightweight solution you may currently obtain
without writing additional kernel level code.
More information about the freebsd-security
mailing list