On Sun, 15 Feb 2004, Pawel Jakub Dawidek wrote:
> On Sat, Feb 14, 2004 at 11:19:48AM -0800, Robert Watson wrote:
> +> Commiter: Robert Watson <rwatson@FreeBSD.org>
> +> Branch: HEAD
> +>
> +> Files:
> +> 1.38 src/sys/kern/kern_jail.c
> +>
> +> Log:
> +> By default, don't allow processes in a jail to list the set of
> +> jails in the system. Previous behavior (allowed) may be restored
> +> by setting security.jail.list_allowed=1.
>
> Are you planning to leave this sysctl? IMHO the previous behaviour was
> just bad, this was a bug, and restoring this behaviour shouldn't be
> permitted. But if this sysctl is just a temporary solution and will be
> removed in the future, it is ok (but maybe BURN_BRIDGES should be
> added?).
>
> PS. This functionality is quite fresh, I'm not sure if someone started
> to depend on it...
Yeah, the interesting question here is whether it was intentional in the
first place for a good reason, or just a by-product of the implementation.
How about we wait three weeks and see if anyone complains on
freebsd-current about the loss of functionality -- if no one says
anything, we remove the sysctl?
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org Senior Research Scientist, McAfee Research