Партнёры:
Хостинг:
jail , jail_attach - imprison current process and future descendants
Lb libc
The argument is a pointer to a structure describing the prison:
struct jail {
u_int32_t version;
char *path;
char *hostname;
u_int32_t ip_number;
};
``version '' defines the version of the API in use. It should be set to zero at this time.
The ``path '' pointer should be set to the directory which is to be the root of the prison.
The ``hostname '' pointer can be set to the hostname of the prison. This can be changed from the inside of the prison.
The ``ip_number '' can be set to the IP number assigned to the prison.
The
jail_attach ();
system call attaches the current process to an existing jail,
identified by
Fa jid .
Inside the prison, the concept of ``superuser'' is very diluted. In general, it can be assumed that nothing can be mangled from inside a prison which does not exist entirely inside that prison. For instance the directory tree below ``path '' can be manipulated all the ways a root can normally do it, including ``rm -rf /* '' but new device special nodes cannot be created because they reference shared resources (the device drivers in the kernel). The effective ``securelevel'' for a process is the greater of the global ``securelevel'' or, if present, the per-jail ``securelevel''
All IP activity will be forced to happen to/from the IP number specified, which should be an alias on one of the network interfaces.
It is possible to identify a process as jailed by examining ``/proc/<pid>/status '' it will show a field near the end of the line, either as a single hyphen for a process at large, or the hostname currently set for the prison for jailed processes.
Further
jail ();
calls
chroot(2)
internally, so it can fail for all the same reasons.
Please consult the
chroot(2)
manual page for details.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |