Brad Knowles wrote: > At 8:35 AM -0400 2003/08/04, Robert Watson wrote: > > The best short-term suggestion would be to write a > > privilege-separated ping tool -- a pingd running outside the jail, > > providing UNIX domain sockets in each jail that needs the ability to ping; > > ping then becomes a client that RPC's to pingd. > > It strikes me that this is probably a better solution to the > problem regardless of whether or not you are in a jail. By carefully > controlling the RPC interface, you should be able to reduce the > security exposure, simplify pingd, and bring more of the complex > logic into the unprivileged ping client. > > This would also allow you to apply the same solution for jail vs. > non-jail environments. > > Is this a future enhancement that we can realistically look forward to?
You would either lose or overexpose root-restricted functionality, such as flood-ping. -- Terry _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
