Date: Mon, 15 May 2000 12:53:42 -0400 (EDT) From: Geoffrey Robinson <geoff@grobin.org> To: security@freebsd.org Subject: Jail: Problems? Proper Usage? Status? Practicality? Message-ID: <Pine.BSF.4.10.10005151143580.75260-100000@grobin.org>
next in thread | raw e-mail | index | archive | help
ver: FreeBSD 4.0-STABLE #0: Sun May 14 11:06:58 EDT 2000
I'm planning to use jail in the near future to do two things. First is to
generally increase the security of a system by putting services like http,
smtp, ftp, etc. into separate jails to decrease the potential harm of a
security hole. This system will only allow shell accesses to trusted
individuals. The second plan is to create multiple, virtual servers on
another host system. These virtual servers will allow shell access to
semi-trusted individuals, including the jail root user. Also the jail
administrator could potentially run unsecure services. This second plan is
tentative depending on the reliability of jail.
I have setup a test jail on my workstation with good results. The first
problem I have found is that I can't access the jailed IP at all from the
host system, nor the host system from the jailed one. However both host
and jailed IPs are accessible to other machines on the network. Is this
intentional? The jailed system can access the Internet fine through my natd
setup on the host system (which actually surprised me). I'm aware that
raw sockets are not allowed to jailed processes but is there a workaround
for ping and traceroute?
Finally how secure is jail really? I'm aware of a trivial chroot breakout
technique. Does that hole still exist? Are there any other known holes? Is
jail still under active development? Is it worth the trouble to do any of
this?
Thanks.
------------------------------------------------------------------------------
| Geoffrey Robinson - geoff@grobin.org |
------------------------------------------------------------------------------
Random Fortune Quote
When you're not looking at it, this fortune is written in FORTRAN.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10005151143580.75260-100000>