|
-
September 29th, 2005, 06:40 PM
#5
Nebulus, Heretic, those were exactly the answers I was looking for.
last -f <filename> will tell me who is logged, and can be run from outside the jail without the need to mount /dev/pts and /proc twice.
With /dev/pts and /proc mounted within the jail, the w, who, whoami and whatnot commands all work. Additionally, the write and talk programs are working now too, however they cannot communicate outside the jail, but that is the whole point, after all.
I would like to avoid mounting /dev/pts and /proc inside the jail. Well, actually I need /dev/pts for ssh logins to work, but /proc is not needed to connect to it. It gives out a whole crapload of info about my system, which rather defeats the point of having a jail.
What about making a "proc" goup, setting all of /proc to be owned by that group, and then setting the w, who, write and whatever commands that need /proc to also be in that group, and then setting those commands sgid? That way users would not be able to peek inside /proc except through the use of an authorized program. I think that would work, but can anyone think of any security implications for it?
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError community!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote