summaryrefslogtreecommitdiffstats
path: root/usr.sbin/jail
Commit message (Collapse)AuthorAgeFilesLines
* Revert 1.73, since mounting devfs without a devfs ruleset inside asimon2006-05-281-1/+0
| | | | | | | jail is a very bad idea security wise. Approved by: trhodes (jcamou mentor) No response: jcamou
* Mention ruleset #4 (devfsrules_jail) in jail's man page.matteo2006-05-281-1/+3
| | | | MFC after: 3
* correct strtol(3) usage and style(9)matteo2006-05-121-4/+8
| | | | | Reviewed by: maxim MFC after: 2 weeks
* o Style(9) the previous commit a bit.maxim2006-05-111-13/+7
|
* Add the -s option to set jail's securelevel. This is useful for jails run ↵matteo2006-05-112-4/+26
| | | | | | | with non-root privileges. PR: bin/80242 MFC after: 2 weeks
* Use .Vt for struct xprisonmatteo2006-05-101-2/+4
| | | | Suggested by: keramida
* document security.jail.list sysctl in jail(8)matteo2006-05-081-1/+9
| | | | | PR: docs/96807 MFC after: 3
* o Document security.jail.jailed sysctl.maxim2006-05-031-1/+6
| | | | | | PR: docs/94711 Submitted by: Andreas Kohn MFC after: 2 weeks
* o Do not mangle current session user login name with jail -u|-U.maxim2006-04-161-1/+1
| | | | | | PR: bin/94730 Submitted by: Frank Behrens MFC after: 1 month
* Do `mount_devfs' when starting a jail.jcamou2006-03-161-0/+1
| | | | | | | PR: docs/86044 Noticed by: Dan Langille <dan@langille.org> Reviewed by: Jose Biskofski <jbiskofski@grmims.com> Approved by: trhodes (mentor)
* Add [-J jid_file] option to write out a JidFile, similar to a PidFile,philip2005-12-032-6/+30
| | | | | | | | | | containing the jailid, path, hostname, ip and the command used to start the jail. PR: misc/89883 Submitted by: L. Jason Godsey <lannygodsey -at- yahoo.com> Reviewed by: phk MFC after: 1 week
* Note that the jail setup example is meant to be fed to sh(1), not csh(1).keramida2005-10-261-3/+4
| | | | | | | PR: docs/87351 Submitted by: "Eli K. Breen" <bsd@unixforge.net> Approved by: simon, brooks MFC after: 3 days
* Add some more info about jail startup and shutdown.brueffer2005-08-071-7/+17
| | | | | Submitted by: Jeremie Le Hen <jeremie@le-hen.org> MFC after: 3 days
* Move DNS configuration before sendmail configuration, becausearved2005-07-251-4/+4
| | | | | | newaliases(1) may hang without proper DNS configuration. Approved by: brueffer
* Mention that it is possible to have jailsjcamou2005-07-201-0/+6
| | | | | | | | | | started at boot time if specified in /etc/rc.conf. PR: docs/81040 Submitted by: matteo Approved by: trhodes (mentor) MFC after: 1 week
* Markup fixes.ru2005-06-141-9/+6
| | | | Approved by: re (blanket)
* Update manual page after sysctl rename.pjd2005-06-091-13/+16
| | | | Corrected by: brueffer
* Document 'jid' keyword for ps(1) and '-j' option for pgrep(1)/pkill(1).pjd2005-05-281-5/+20
|
* Remove symblic link kernel->dev/null creation. We don't need it in 5.x/6.xpjd2005-05-141-2/+0
| | | | | | world (there is no /kernel file anymore). Reminded by: Isaac Levy presentation
* Fix spelling errors.joel2005-04-301-2/+2
| | | | Approved by: brueffer (mentor)
* Added the convenience "distribution" target which calls theru2005-02-271-2/+1
| | | | | | target of the same name from src/etc/Makefile with a proper environment, suitable to be used during upgrades and cross- builds.
* Add a new sysctl, "security.jail.chflags_allowed", which controls thecperciva2005-02-081-0/+9
| | | | | | | | | | | | | behaviour of chflags within a jail. If set to 0 (the default), then a jailed root user is treated as an unprivileged user; if set to 1, then a jailed root user is treated the same as an unjailed root user. This is necessary to allow "make installworld" to work inside a jail, since it attempts to manipulate the system immutable flag on certain files. Discussed with: csjp, rwatson MFC after: 2 weeks
* Fixed punctuation in xrefs.ru2005-01-211-1/+1
|
* Scheduled mdoc(7) sweep.ru2005-01-111-5/+3
|
* Initialize lcap and pwd to NULL. This allows a WARNS=6 clean build,delphij2004-11-172-3/+3
| | | | | | | | | hence bump it to 6. Note that the last commit message was not quite accurate. While the assumption exists in the code, it's not possible to have an uninitialized p there because if lflag is set when username is NULL then execution would be terminated earlier.
* The code path in main() dealing with lflag assumes that p wasdelphij2004-11-171-1/+1
| | | | | initialized with NULL, while it is not. So let's initialize it.
* Pass an array of gid_t rather than an array of int to getgroups().stefanf2004-10-021-1/+2
| | | | PR: 56646
* o Add -l option to jail(8) similar to su(1): before running jail'edmaxim2004-08-152-6/+50
| | | | | | | | | program under specific user's credentials, clean the environment and set only a few variables. PR: bin/70024 Submitted by: demon MFC after: 1 month
* Mechanically kill hard sentence breaks.ru2004-07-021-2/+4
|
* Prepare jail(8) utility for new functionality which will limitpjd2004-06-271-4/+6
| | | | | | seeing status of mounted file system for jailed processes. Pass full path of jail's root directory to the kernel. mount(8) utility is doing the same thing already.
* Markup nits.ru2004-06-051-7/+11
|
* Sentences should not start with conjunctions. Change "Because"csjp2004-06-011-2/+2
| | | | | | to "Since". Pointed out by: Ceri
* Add a warning note to security.jail.allow_raw_socketscsjp2004-06-011-1/+4
| | | | | | | | | | | | | | | about the risks of enabling raw sockets in prisons. Because raw sockets can be used to configure and interact with various network subsystems, extra caution should be used where privileged access to jails is given out to untrusted parties. As such, by default this option is disabled. A few others and I are currently auditing the kernel source code to ensure that the use of raw sockets by privledged prison users is safe. Approved by: bmilekic (mentor)
* o Implement -U flag: run command as user which exists only in jail.maxim2004-05-292-19/+40
| | | | | | | | | o getpwnam(3) returns NULL and does not set errno when the user does not exist. Bail out with "no such user" instead of "Unknown error: 0". PR: bin/67262 Submitted by: demon (-U flag) MFC after: 3 weeks
* Typos and nits.dannyboy2004-05-201-19/+19
|
* Document security.jail.getfsstatroot_only sysctl.pjd2004-05-201-0/+14
| | | | | Obtained from: rwatson's commit log Approved by: rwatson
* mdoc(7) cleanup for the last commit to this file.simon2004-05-041-3/+10
| | | | OK'ed by: bmilekic
* Ammend jail(8) man page to explain new sysctl for raw-socketsbmilekic2004-05-031-0/+7
| | | | | | inside jails, Christian's last submission. Submitted by: Christian S.J. Peron <maneo@bsdpro.com>
* Correct typo.le2004-02-061-1/+1
|
* A variety of content cleanups:rwatson2003-11-201-22/+70
| | | | | | | | | | | | | | | | | | | | | | | (1) Document the notion of using jail(8) to run "virtual servers" or just to constrain specific applications. If only running specific applications, some configuration steps are unnecessary (such as editing rc.conf). (2) Add some more subsection headers to break up the bigger chunks of text. (3) Clarify the problems associated with applications binding all IP addresses in the host, and attempt to be more specific about potential application problems. Document how to force sshd to bind the the right socket. (4) Suggest that in a jailed application scenario, you might want to have the host syslogd listen on the socket in the jail, rather than running syslogd in the jail. (5) Catch another reference to /stand/sysinstall. Approved by: re (bmah implicitly)
* No need to copy sysinstall into a jail with -CURRENT, since inrwatson2003-11-201-10/+2
| | | | | | -CURRENT, we have /usr/sbin/sysinstall. Approved by: re (bmah implicitly)
* - Add a note that there are two MIB variables that have per-jailkensmith2003-11-111-0/+8
| | | | | | | settings. Reviewed by: rwatson Approved by: blackend (mentor)
* add FBSDIDcharnier2003-07-061-3/+3
|
* When pointing users at mount_devfs to populate the /dev of a jail,rwatson2003-06-261-0/+10
| | | | | | | tell them that they also need to use devfs rules to prevent inappropriate devices from appearing in the jail; add an Xref. In earlier versions of this man page, the user was instructed to use sh MAKEDEV jail, which only created a minimal set of device nodes.
* Force output of jail ID (if necessary) before excuting the command,mike2003-04-211-1/+3
| | | | | otherwise redirection of stdout to a file using block buffering will not complete in time.
* o Add jls(8) for listing active jails.mike2003-04-092-20/+35
| | | | | | | o Add jexec(8) to execute a command in an existing jail. o Add -j option for killall(1) to kill all processes in a specified jail. o Add -i option to jail(8) to output jail ID of newly created jail.
* Free login_cap(3) resources after usage.maxim2003-04-071-0/+1
| | | | Submitted by: demon
* o Fix error messages formatting, style.maxim2003-04-021-29/+22
| | | | | Prodded by: bde Reviewed by: bde
* o Add -u <username> flag to jail(8): set user context before exec.maxim2003-03-273-12/+84
| | | | | | | PR: bin/44320 Submitted by: Mike Matsnev <mike@po.cs.msu.su> Reviewed by: -current MFC after: 6 weeks
* portmap_enable -> rpcbind_enable.maxim2003-03-181-2/+2
| | | | Spotted by: Andrew Khlebutin <andreyh@perm.ru>
OpenPOWER on IntegriCloud