Hello, My test settings are as follows:
Host system (pacific.lifeafterking.org): 10.0.0.2, 10.0.0.3, 10.0.0.4 Jail (test.lifeafterking.org): 10.0.0.3, 10.0.0.4 I also made a new patch which fixes these issues: 1. Telnetting to 0.0.0.0 in the jail now redirects to the first jail IP. 2. Non-root users outside a jail cannot access any files inside a jail (sysctl controllable) The patch can be downloaded at http://msalem.translator.cx/dist/jail_seperation.v6.patch. Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pawel Jakub Dawidek Sent: Thursday, February 27, 2003 7:44 AM To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch On Thu, Feb 27, 2003 at 07:16:15AM -0800, Mooneer Salem wrote: +> Actually, I just gave it blah.lifeafterking.org in /etc/hosts. 10.0.0.4 +> really *is* in the same jail: +> +> %ifconfig +> lnc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 +> inet 10.0.0.3 netmask 0xffffffff broadcast 10.0.0.3 +> inet 10.0.0.4 netmask 0xffffffff broadcast 10.0.0.4 +> ether 00:50:56:e0:26:54 +> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 +> %hostname +> test.lifeafterking.org +> % Ehh, so now I know nothing about your test settings. After all problems isn't so trivial. +> As for the hide files code, I found a possible location for it, in +> vfs_subr.c (extattr_check_cred()). I added +> this block to it: [...] IMHO very dirty and not complete. Jail don't have to be chrooted to diferent mount-point, and checks like those should be done between vnodes, not pathnames. In my opinion better way is just create another jail and don't give access to main host for regular users. -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
