Re: Any patch for ICMP in a jail?

From: Terry Lambert <tlambert2_at_mindspring.com>
Date: Mon, 04 Aug 2003 10:53:03 -0700
Brad Knowles wrote:
> At 8:35 AM -0400 2003/08/04, Robert Watson wrote:
> >       The best short-term suggestion would be to write a
> >  privilege-separated ping tool -- a pingd running outside the jail,
> >  providing UNIX domain sockets in each jail that needs the ability to ping;
> >  ping then becomes a client that RPC's to pingd.
> 
>         It strikes me that this is probably a better solution to the
> problem regardless of whether or not you are in a jail.  By carefully
> controlling the RPC interface, you should be able to reduce the
> security exposure, simplify pingd, and bring more of the complex
> logic into the unprivileged ping client.
> 
>         This would also allow you to apply the same solution for jail vs.
> non-jail environments.
> 
>         Is this a future enhancement that we can realistically look forward to?

You would either lose or overexpose root-restricted functionality,
such as flood-ping.

-- Terry
Received on Mon Aug 04 2003 - 08:54:31 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:17 UTC