On 2007.01.20 14:03:08 +0100, Pawel Jakub Dawidek wrote: > On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote: > [...] > > BTW. with regard to the console.log file I really don't think it > > should be put back inside the jail unless it's possible to make the > > generation of the file entirely inside the jail since it's just not > > worth the risk/complexity. I think it should be possible to do this > > with jail(8) in -CURRENT (see -J flag), but: > > When -J operates on a file inside a jail, it create the same security > hole as the one from security advisory, because it opens a file before > calling jail(2).
My thought with using -J was not place the info about jid in a file outside the jail root, basically (pseudo code): _tmpfile=`mktemp...` jail -J $_tmpfile "sh /etc/rc > /var/log/console.log" _jid=`cat $_tmpfile | something` At least that was what I thought might be possible with the -J switch when I noticed it existed. In any case, actually coding this, verifying that it works and is safe is left up to anyone who cares about having console.log inside the jail. -- Simon L. Nielsen _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"