Brad Knowles wrote: > At 8:35 AM -0400 2003/08/04, Robert Watson wrote: > > The best short-term suggestion would be to write a > > privilege-separated ping tool -- a pingd running outside the jail, > > providing UNIX domain sockets in each jail that needs the ability to ping; > > ping then becomes a client that RPC's to pingd. > > It strikes me that this is probably a better solution to the > problem regardless of whether or not you are in a jail. By carefully > controlling the RPC interface, you should be able to reduce the > security exposure, simplify pingd, and bring more of the complex > logic into the unprivileged ping client. > > This would also allow you to apply the same solution for jail vs. > non-jail environments. > > Is this a future enhancement that we can realistically look forward to? You would either lose or overexpose root-restricted functionality, such as flood-ping. -- TerryReceived on Mon Aug 04 2003 - 08:54:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:17 UTC