Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????t
On Tue, 10 May 2011 19:24:28 +0200 =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> wrote:
> I vote no as well, but for a different reason: there are many other
> things the jailed root can do to the root directory, including flags,
> extended attributes, etc. (some of which are fs-dependent), and it would
> be difficult or impossible to identify all of them, not to mention those
> that aren't yet possible but will be in the future. Fixing just one (or
> two, or five) of them today might give users a false sense of security,
> which is inexcusable when we can give a *true* sense of security by
> telling them to "chmod 0700 $D/..".
Dumb question: the jail command can refuse to run unless the
parent of a jail root is 0700. Would that work? No kernel hack
required.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 17 之 29 篇):