Howdy! I'm not sure if this is actually an issue, feature or a bug, but I have found that inside a jail, the jailed root user is able to sniff traffic (and enable promiscuous mode) on at least the interface of the IP address the jail is attached to. I have not found any documentation explaining if this should occur or not, but I feel it is something that should at least be known to those using jails. Please let me know if anyone knows if this is an error, a problem that can't be fixed, or if it's designed to be this way. Thanks! -Micah
In message <20050111221055.GD68350@micah.tamu.edu>, Micah writes:>Howdy! > >I'm not sure if this is actually an issue, feature or a bug, but I have found >that inside a jail, the jailed root user is able to sniff traffic (and enable >promiscuous mode) on at least the interface of the IP address the jail is attached >to.Only if you leave bpf devices in the devfs mounted on the jail. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.