On Tue, Aug 05, 2003 at 03:55:55AM -0700, Terry Lambert wrote: > Through the credential passing? I thought that wasn't reliable > for this type of thing. Specifically, the jail would be in an > untrusted protection domain; if you just accepted the credential > blindly, then anyone could be root in the jail, and you could not > trust it. > > If you didn't accept it blindly, then regular root loses existing > functionality. > > I'm pretty sure that, at least the last time I looke at it, the > credential passing code didn't pass information about jail status. [deletia] Sorry, you are right. Despite the subject line, I wasn't thinking of jails at this point, but just of removing the setuid bit from ping. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar_at_celabo.org . jvidrine_at_verio.net . nectar_at_freebsd.org . nectar_at_kth.seReceived on Tue Aug 05 2003 - 02:51:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:17 UTC