diff options
author | Andrew R. Reiter <arr@FreeBSD.org> | 2002-01-16 06:55:30 +0000 |
---|---|---|
committer | Andrew R. Reiter <arr@FreeBSD.org> | 2002-01-16 06:55:30 +0000 |
commit | d0615c64a5448ad63ade0b793516145efc846d31 (patch) | |
tree | e1d5ce61a8174cc7c8b01d4bdcaed7af9b80f626 /usr.sbin | |
parent | 8af31e7b46eb0e5d9c733438958e913c907fe6ba (diff) | |
download | src-d0615c64a5448ad63ade0b793516145efc846d31.tar.gz src-d0615c64a5448ad63ade0b793516145efc846d31.zip |
- Attempt to help declutter kern. sysctl by moving security out from
beneath it.
Reviewed by: rwatson
Notes
Notes:
svn path=/head/; revision=89414
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/jail/jail.8 | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 7595e007bcdf..3866d19c9ec9 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -233,7 +233,7 @@ script from within the jail. .Pp NOTE: If you plan to allow untrusted users to have root access inside the jail, you may wish to consider setting the -.Va kern.security.jail.set_hostname_allowed +.Va security.jail.set_hostname_allowed to 0. Please see the management reasons why this is a good idea. If you do decide to set this variable, @@ -311,14 +311,14 @@ default, modified from within the jail, so the status entry is unreliable by default. To disable the setting of the hostname from within a jail, set the -.Va kern.security.jail.set_hostname_allowed +.Va security.jail.set_hostname_allowed sysctl variable in the host environment to 0, which will affect all jails. You can have this sysctl set on each boot using .Xr sysctl.conf 5 . Just add the following line to .Pa /etc/sysctl.conf : .Pp -.Dl kern.security.jail.set_hostname_allowed=0 +.Dl security.jail.set_hostname_allowed=0 .Pp In a future version of .Fx , @@ -332,7 +332,7 @@ MIB variables. Currently, these variables affect all jails on the system, although in the future this functionality may be finer grained. .Bl -tag -width XXX -.It Va kern.security.jail.set_hostname_allowed +.It Va security.jail.set_hostname_allowed This MIB entry determines whether or not processes within a jail are allowed to change their hostname via .Xr hostname 1 @@ -344,7 +344,7 @@ information in .Pa /proc . As such, this should be disabled in environments where privileged access to jails is given out to untrusted parties. -.It Va kern.security.jail.socket_unixiproute_only +.It Va security.jail.socket_unixiproute_only The jail functionality binds an IPv4 address to each jail, and limits access to other network addresses in the IPv4 space that may be available in the host environment. @@ -361,7 +361,7 @@ domain sockets, IPv4 addresses, and routing sockets. To enable access to other domains, this MIB variable may be set to 0. -.It Va kern.security.jail.sysvipc_allowed +.It Va security.jail.sysvipc_allowed This MIB entry determines whether or not processes within a jail have access to System V IPC primitives. In the current jail implementation, System V primitives share a single |