On 21/04/2025 18:43, Gordon Tetlow wrote:
A while ago, I was playing around with building stripped down jails
based on pkgbase and noticed that /bin/sh and a whole host of
interactive commands is in the FreeBSD-runtime package. This seemed
weird to me as my stripped down jail that is intended to run nginx
should only have the runtime libraries necessary. Including /bin/sh
and friends is unnecessary and would only enable an attacker to gain
a foothold more easily. I recall trying to get it more minimal, but
FreeBSD-runtime is a critical package that must be installed given
things like PAM and some extremely critical libraries (libz, libcap,
libutil, etc) are in this package.
Sounds like an interesting idea, but what's the alternative to start
nginx without /bin/sh for the rc scripts? How does that work?
Cheers,
Matthew
