On 10 May 2011 19:49, Bakul Shah <ba...@bitblocks.com> wrote: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required.
If you do that then you can't us the jail with a non-root jailed user, and I never want to give what is running in a jail anything more than very unprivileged access. All I do is this: /var - as normal /var/jails - 0700 /var/jails/jail1 - 0755 /var/jails/jail2 - 0755 etc. If an unprivialged user outside the jail was also root inside the jail, he wouldn't be able to get into the /var/jails directory to do any suid rooting. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
