On Mon, Oct 23, 2017 at 8:31 AM, Steve Wills <swi...@freebsd.org> wrote:
> > Note too that security.bsd.see_jail_proc is partially a work around for > the fact that security.bsd.see_other_* doesn't work as you might expect. > It's literally the UID/GID, rather than the username, so > security.bsd.see_other_* has no idea that the users in the jail are not the > same users on the host, which is unexpected and counter-intuitive at best > and dangerous at worst. (Even if that were changed, > security.bsd.see_jail_proc is still useful for the potential scenario where > you don't want/need to set security.bsd.see_other_* but don't want users to > see processes in jails.) security.bsd.see_other_* cannot do anything *but* UID/GID -- note that it is supported to have multiple user entries on a single system that share a UID, and the username used to log in is not tracked by the kernel. (E.g., root and toor.) -Ben _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"