<<On Mon, 21 Apr 2025 10:43:44 -0700, Gordon Tetlow <gor...@tetlows.org> said:
> A while ago, I was playing around with building stripped down jails > based on pkgbase and noticed that /bin/sh and a whole host of > interactive commands is in the FreeBSD-runtime package. This seemed > weird to me as my stripped down jail that is intended to run nginx > should only have the runtime libraries necessary. Including /bin/sh > and friends is unnecessary and would only enable an attacker to gain > a foothold more easily. Part of the functionality of the standard C library is implemented in the shell. You probably don't need any of these functions, and maybe given your security posture you would prefer if they didn't work. POSIX generally requires a shell. I think pkgbase is perhaps not conceived for this application: a shell is not normally thought of as an optional component. -GAWollman
