Contributed by sean on from the new toys dept.
sysjail, an OpenBSD and NetBSD "jail" implementation, has reached freeze before its 1.0 release. This release will feature full (limited by "what's possible") jail compatibility, plus some extra niceties:
http://sysjail.bsd.lv/
sysjail uses a combination of chroot(2) and systrace(1) to create jailed environments. We are in need of people to batter the system, both from a security and usability perspective, before the release. I anticipate at least a few weeks of heavy testing to flush out all border conditions one can use to panic sysjail or provide a means to break through the jail barrier - for example, by providing bogus syscall values, or running one's favourite fhroot-breaker. If you've a quick and dirty means to benchmark sysjail against common usage, please let us know as well!
Editors Note: There does not seem to be a port of this application yet so please make one if you use it. If you don't know how to make/submit a port then this would be a good one to cut your teeth on!
(Comments are closed)
By Matthias Kilian (84.134.41.26) on
It's on the same site:
http://sysjail.bsd.lv/dist/obsd-sysjail-0.4.5.tar.gz
I didn't check it for correctnes, but a first hit builds and installs it, and the PLIST and WANTLIB seem to be o.k. at a first glance.
By Anonymous Coward (66.111.212.52) on
Comments
By djm@ (203.217.30.86) on
Comments
By Nate (65.94.56.251) on
>
I always felt partial to teal.
By Thorsten Glaser (84.44.231.195) on http://mirbsd.de/
MirBSD actually has implemented two sysctls for hiding the
environment of other users' processes or their process
table entries entirely from other users, by idea of tedu@.
Feel free to take the diffs from our cvsweb.
(Let's paint it green?)
Comments
By Anonymous Coward (66.11.66.41) on
>
> MirBSD actually has implemented two sysctls for hiding the
> environment of other users' processes or their process
> table entries entirely from other users, by idea of tedu@.
>
> Feel free to take the diffs from our cvsweb.
Url?
Comments
By Anonymous Coward (66.111.212.52) on
> >
> > MirBSD actually has implemented two sysctls for hiding the
> > environment of other users' processes or their process
> > table entries entirely from other users, by idea of tedu@.
> >
> > Feel free to take the diffs from our cvsweb.
>
> Url?
66.11.66.41 CA CANADA ONTARIO TORONTO HOMELAND SECURITY TECHNOLOGY
Even more awesome. This gets better and better.
I may be wrong, and I'd like to hear it if I am, but I don't think that's the kind of "security" the OpenBSD developers are into.
This trusted computing business is rotten, really. And more annoyingly, it's not unix.
Comments
By Anonymous Coward (66.11.66.41) on
>
> Even more awesome. This gets better and better.
What gets better and better? Are you on drugs?
> I may be wrong, and I'd like to hear it if I am, but I don't think that's the kind of "security" the OpenBSD developers are into.
>
> This trusted computing business is rotten, really. And more annoyingly, it's not unix.
Uh, it was a company that makes GPS software. It has nothing to do with trusting computing, security or whatever else you are thinking. Marketing dummies do stupid things, like name a company homeland security technology corporation when they just make GPS software. Perhaps instead of commenting ignorantly on my IP, you could either A) give me a url to the cvsweb he mentioned, or B) stfu.
By Tommy (88.112.195.68) on
> Even more awesome. This gets better and better.
> I may be wrong, and I'd like to hear it if I am, but I don't think that's the kind of "security" the OpenBSD developers are into.
Well.. Fact is that some people put logins and whatever to command lines, which ps &co will of course show. Is there some other way to protect these people from their stupidity?
Comments
By Anonymous Coward (68.104.220.48) on
> > I may be wrong, and I'd like to hear it if I am, but I don't think that's the kind of "security" the OpenBSD developers are into.
>
> Well.. Fact is that some people put logins and whatever to command lines, which ps &co will of course show. Is there some other way to protect these people from their stupidity?
A lead pill. Who cares? You *can't* protect these people, or the systems they use, from their stupidity. I know firsthand they will find any and every possible hole to leak sensitive information out of. Users Cannot Be Educated Or Protected.
Comments
By Anonymous Coward (66.11.66.41) on
Those idiots pay us to host their sites. Considering how hard it is to explain to them not to use --password=s33kr1t on the command line, and have it actually sink in, yet how incredibly easy it is to just not show users each others processes, this seems like a very good solution. Telling them "haha, you got hacked cause you are dumb" isn't going to stop them from switching to a provider that does make some attempt at protecting them from themselves.
By jirib (62.141.24.68) on
The world is so small :)
jirib
Comments
By Anonymous Coward (80.249.194.29) Artis on
I believe you meant Latvian.
By Sam Chill (68.53.205.186) samchill@gmail.com on
Comments
By Kristaps Johnson (62.85.46.110) on
Fixed. Until I push a bug-fix release I'll have a patch posted off of the main page. Thank you!
By Thorsten Glaser (213.196.246.74) on http://mirbsd.de/
This one's better:
base) base_$(uname) ;;
Same for the others.
Comments
By Miod Vallat (82.195.186.220) miod@ on
>
> base) base_$(uname) ;;
>
> Same for the others.
Since when does uname return a lowercase string on *BSD systems?