Date: Wed, 17 May 2000 11:07:58 -0500 From: "Jacques A . Vidrine" <n@nectar.com> To: Robert Watson <rwatson@freebsd.org> Cc: Geoffrey Robinson <geoff@grobin.org>, security@freebsd.org Subject: Re: Jail: Problems? Proper Usage? Status? Practicality? Message-ID: <20000517110758.C6884@bone.nectar.com> In-Reply-To: <Pine.NEB.3.96L.1000516170812.15891F-100000@fledge.watson.org>; from rwatson@freebsd.org on Wed, May 17, 2000 at 11:05:07AM -0400 References: <Pine.BSF.4.10.10005161420040.77736-100000@grobin.org> <Pine.NEB.3.96L.1000516170812.15891F-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 17, 2000 at 11:05:07AM -0400, Robert Watson wrote: > Jail works by: > > 1) Chrooting the child process > 2) Limiting the scope of superuser privileges accessible by uid0 processes > in the jail 3) Limiting network access to a single IP address [snip] > Right now, each jail costs you the size of > world, and is hard to upgrade if you have any decent number of jails. You don't need the whole world depending on what you are doing. If a jail is setup for the purposes of a single application (which I expect is the most common scenario), you only need the files that support it. Upgrading the jail is simple if you created a script to create the jail in the first place -- you re-run the script after upgrading the base system. For me the real problem with this scheme is producing the script for building a jail in the first place. I do it by hand. One of these days I'd like to try writing an application that can generate a first-draft script for building a jail, given a list of applications that need to run in the jail. I think it might be nifty to do this based on the output of a ktrace on the target applications during a test run. > Storing all that stuff in a single tree mapped read-only into jails would > solve that (you'd probably want two so you could upgrade one, test it, and > then swap to that for all jails so as to minimize downtime). I don't think you want this unless the purpose of your jail is to provide a `complete virtual server' for shell access et. al. I don't want e.g. `cc' or `sync' or most of the things in `/dev' to be available to a jailed process. > I'll gather up my notes on possible improvements and post them to > -security sometime in the next week or two. Thanks! Yay, thanks Robert! -- Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000517110758.C6884>