-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/07/2010 07:13:13, Aiza wrote: > From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, > which is the release level of the host. I know the jail is running a > pristine minimum install of 8.0-RELEASE.
The uname information is compiled into the kernel -- so all jails will show the information relevant to the host system. The problem arises when a security patch applies to userland, and not the kernel, as updating the host system does not necessarily mean the update has been applied to the jails. > I would think issuing uname from within a jail environment should > respond with the info of the jail environment. Is this not a security > violation? It can result in security problems, yes. The real problem there is an incorrect approach to applying security updates to jailed systems. Even so, not having a reliable means of telling per-jail that patches have or have not been applied is a flaw. Whether you can do this within the POSIX specification for uname without adversely affecting backwards compatibility is a good question (http://www.opengroup.org/onlinepubs/009695399/utilities/uname.html). Perhaps a simple solution would be to compile a constant string value showing system version and patch level into libc.so and have a small utility to print that data out. Since this is independent of the kernel, it should fulfill the requirements, but it does mean that *every* system update requires a new libc.so and hence a restart of all running processes to apply fully. While I'm here -- why doesn't FreeBSD use a simple version number like 7.3.4 rather than saying 7.3-RELEASE-p4? I realize that historically there have been point releases like 5.2.1-RELEASE but the whole Security/Errata branch concept was developed partly in response to such things, and the whole release engineering process is done differently now. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: [email protected] Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwu4aMACgkQ8Mjk52CukIzd2wCfQSLaRz+G5FK62+DQ0ZT4gXA0 gAQAn0eu7SY28lrfElvlwVWtRieiWk5W =PuxL -----END PGP SIGNATURE----- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
