At 8:35 AM -0400 2003/08/04, Robert Watson wrote: > The best short-term suggestion would be to write a > privilege-separated ping tool -- a pingd running outside the jail, > providing UNIX domain sockets in each jail that needs the ability to ping; > ping then becomes a client that RPC's to pingd. It strikes me that this is probably a better solution to the problem regardless of whether or not you are in a jail. By carefully controlling the RPC interface, you should be able to reduce the security exposure, simplify pingd, and bring more of the complex logic into the unprivileged ping client. This would also allow you to apply the same solution for jail vs. non-jail environments. Is this a future enhancement that we can realistically look forward to? -- Brad Knowles, <brad.knowles_at_skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)Received on Mon Aug 04 2003 - 03:49:10 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:17 UTC