From owner-freebsd-stable@FreeBSD.ORG  Sun Feb 16 15:18:09 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 799E8A8F
 for <freebsd-stable@freebsd.org>; Sun, 16 Feb 2014 15:18:09 +0000 (UTC)
Received: from moof.catpipe.net (moof.catpipe.net [194.28.252.64])
 by mx1.freebsd.org (Postfix) with ESMTP id 33FD715DC
 for <freebsd-stable@freebsd.org>; Sun, 16 Feb 2014 15:18:08 +0000 (UTC)
Received: from localhost (moof.catpipe.net [194.28.252.64])
 by localhost.catpipe.net (Postfix) with ESMTP id 475DF4CEA9B;
 Sun, 16 Feb 2014 16:13:00 +0100 (CET)
Received: from moof.catpipe.net ([194.28.252.64])
 by localhost (moof.catpipe.net [194.28.252.64]) (amavisd-new, port 10024)
 with ESMTP id kudSAQzXnmKL; Sun, 16 Feb 2014 16:12:59 +0100 (CET)
Received: from macbook.bluepipe.net (unknown [175.139.232.82])
 (Authenticated sender: relayuser)
 by moof.catpipe.net (Postfix) with ESMTPA id 8571A4CE9B7;
 Sun, 16 Feb 2014 16:12:59 +0100 (CET)
Received: by macbook.bluepipe.net (Postfix, from userid 1001)
 id 1109B1C7A5B5; Sun, 16 Feb 2014 23:12:57 +0800 (MYT)
Date: Sun, 16 Feb 2014 23:12:57 +0800
From: Phil Regnauld <regnauld@x0.dk>
To: "A.J. 'Fonz' van Werven" <freebsd@skysmurf.nl>
Subject: Re: Should I use jail?
Message-ID: <20140216151257.GP71201@macbook.bluepipe.net>
References: <CAA_8tFq7JNw0=nqz5ByyfJs8cyEu+5z+sry=NESViegUSZBJ0Q@mail.gmail.com>
 <5300C998.7010508@gibfest.dk>
 <20140216142824.GA25883@spectrum.skysmurf.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140216142824.GA25883@spectrum.skysmurf.nl>
X-Operating-System: Darwin 13.0.0 x86_64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Feb 2014 15:18:09 -0000

A.J. 'Fonz' van Werven (freebsd) writes:
> Thomas Steen Rasmussen wrote:
> 
> > For what it's worth I never, ever run any service without running it in
> > a jail.
> 
> Smartass comment: if that includes ntpd or a master NIS server, would you
> care to divulge how you did that?

	I don't know why the NIS server would be any different, but for services
	that require access to devices (say, ntpd talking to a GPS over USB), you
	define new devfs rules to unhide the requisite /dev/ entries for the
	jails running the service. I do this for OpenDNSSEC using a smartcard
	reader.

	Here's a devfs.conf entry to make it possible to access BPF (for tcpdump
	among other things - but beware of giving access to raw devices this
	way) and ugen* devices under /dev/

[devfsrules_jail_bpf=5]
add include $devfsrules_jail
add path 'bpf*' unhide
add path 'ugen0.*' unhide

	Cheers,
	Phil