OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: Should jail treat ip-number?

Re: Should jail treat ip-number?

Daniel C. Sobral (dcsnewsguy.com)
Thu, 18 Nov 1999 03:16:58 +0900

Yoshinobu Inoue wrote:
>
> -As already commented, checking those addresses which
> already specified by other jail'ed processes is necessary.

I disagree. The address is specified by the admin of the machine.
Letting him shoot himself in the foot is not particular bad, and the
test can be performed by the userland tools used to manage the
machine.

> solution:
> Don't specify addresses via jail(2), and let kernel select
> any non binded address.
> Loop in_ifaddr list and try in_pcblookup_hash() for each
> of addresses, just as in_pcbbind does it to search for non
> binded port.
>
> A weak point of this solution is that processes in a same jail
> won't be necessariliy binded to a same address, but does it
> matters?

Ok, question: I "buy" a virtual server on the machine to run an
internet daemon of mine. I need the IP to that server to access the
daemon. How do the admin of the machine ensures that _my_ jail will
have the fixed IP assigned to me always with your solution? 

--
Daniel C. Sobral			(8-DCS)
dcsnewsguy.com
dcsfreebsd.org

	"Then again maybe not going to heaven would be a blessing. Relkin
liked a certain amount of peace and harmony, since there'd been a
pronounced shortage of them in his own life; however, nothing but
peace and harmony, forever and forever? He wasn't sure about that.
And no beer? Very dubious proposition."

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Wed Nov 17 1999 - 12:37:30 CST