Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 13 Mar 2005 12:04:23 +0000
From:      Chris Hodgins <chodgins@cis.strath.ac.uk>
To:        Denis Shaposhnikov <dsh@vlink.ru>
Cc:        Frank Knobbe <frank@knobbe.us>
Subject:   Re: Idea about 'skeleton jail
Message-ID:  <42342C47.209@cis.strath.ac.uk>
In-Reply-To: <87d5u33j51.fsf@neva.vlink.ru>
References:  <1107178792.613.22.camel@spirit> <20050131161006.GD60177@obiwan.tataz.chchile.org> <51723.81.84.175.77.1107199764.squirrel@81.84.175.77> <1110689557.890.73.camel@localhost> <87d5u33j51.fsf@neva.vlink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Denis Shaposhnikov wrote:
>>>>>>"Frank" == Frank Knobbe <frank@knobbe.us> writes:
> 
> 
>  Frank> If you nullfs these directories, you loose the ability to
>  Frank> prune the jail. Pruning is part of system hardening. I'd
> 
> May be it's better to use unionfs, so anybody can replace binaries
> with their stub version pre jail.
> 

This might be a very stupid idea but how about a jailfs.  Now I don't 
know all that much about filesystem design so bear with me.  How about 
something like this:

# ls /usr/jail
fulljail smalljail fulljail.conf smalljail.conf
# cd /usr/jail/fulljail
# ls
dev etc home
# cat ../fulljail.conf
allow-all read-only

ignore
	/dev
	/etc
	/usr/home

allow read-write
	/usr/ports/distfiles

# cd ../smalljail
# ls
# cat ../smalljail.conf
ignore-all

allow read-only
	/bin
	/usr/bin

allow read-write
	/usr/home

# cd /usr/jail
# jail /usr/jail/fulljail fulljail 127.0.0.1 /bin/sh /etc/rc
# jexec 1 ls
COPYRIGHT  boot compat  dist etc   lib      mnt   rescue  sbin   sys 
usr  bin cdrom  dev  entropy  home  libexec  proc  root  stand  tmp  var
# jail /usr/jail/smalljail smalljail 127.0.0.1 /bin/sh 
/home/myhome/specialtask.sh
# jexec 2 ls
bin usr home
#

SO the jail filesystem is configured at jail-creation time and uses the 
hosts files or jail files depending on the configuration.  Might have to 
pass the config file into the jail command.

As I said I am not an expert.  Mabye one of the experts could let me 
know what they think?

Chris

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42342C47.209>