In message <86zkmu26k3.fsf@ds4.des.no>, =?utf-8?Q?Dag-Erling_Sm鷨grav?= wr ites: >Jason Hellenthal <jhell@DataIX.net> writes: >> Do you know if there is a way that chmod on / from within the jail could > >> be prevented easily without breaking something ? Maybe not failing but >> falling though and return 0 for any operation with the sole argument of /. > >Not without adding explicit checks in the kernel. I identified this issue back when I implemented jails and though long and hard about adding a kernel hack to paste over this. My conclusion was that there were not enough justification for it, based on the usage model envisioned then: virtual-machines-light. Gettys first rule says: 1. Do not add new functionality unless an implementor cannot complete a real application without it. and I think we should stick to that before adding more or less random pieces of magic to the kernel. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"