thread instead of struct proc as needed. I have
everything up at
http://msalem.translator.cx/dist/jail_seperation.v7.patch, if you want
to look at it.
Thanks,
On Tue, 2003-12-09 at 15:14, Marko Zec wrote:
> On Tuesday 09 December 2003 20:42, Mooneer Salem wrote:
> > Hello,
> >
> &g
___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Mooneer Salem
Know Your College (http://www.knowyourcollege.com/):
college experiences from the perspective of re
people inside a jail to add ipfw rules
for their own IP address(es), among other things. See
http://msalem.translator.cx/dist/jail_separation.v7.patch
(for 5.0-RELEASE). :)
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
-Original
side their
jails (thereby preventing interference between jails)
If anyone's interested in testing it, it can be found at
http://msalem.translator.cx/dist/jail_seperation.v7.patch.
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
uct prison pointer).
This should mitigate some of the security concerns.
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of "."@babolo.ru
Sent: Mo
Hello,
This patch is interesting. To my understanding though, ipfw uses RAW sockets
to communicate with the kernel. Therefore, it might be possible to edit the
ipfw table from within the jail, which may be a bad thing. Just a thought.
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx
users outside a jail cannot access any files inside a jail
(sysctl controllable)
The patch can be downloaded at
http://msalem.translator.cx/dist/jail_seperation.v6.patch.
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
-Original
}
if (!strncmp(element->chroot_path,
vp->v_mount->mnt_stat.f_mntonname,
strlen(element->chroot_path)) {
return (EPERM);
}
}
This ensures the check is only run if the sysctl variable equals
sysctls when I get a chance for the mount
hiding. Also, I'm going to take a look
at the VFS code and see if I can hide files from non-root non-jailed users.
3. Does multi-level jailing add any further restrictions to the jails within
the jails, besides the standard ones
imposed?
.0.0.3,10.0.0.4
security.jail.set_hostname_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.quotas_allowed: 0
security.jail.hide_processes: 0
%
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafter
on will need to be found
to
insert the code in.
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mooneer Salem
Sent: Tuesday, February 18, 2003 5
h? Is there a different approach we
could take that would solve this problem?
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
he purpose of seperating the jail from the main environment
though, your approach
may be better.
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of P
13 matches
Mail list logo
