Date: Thu, 3 Mar 2005 13:16:49 -0500 From: Anish Mistry <mistry.7@osu.edu> To: freebsd-questions@freebsd.org Cc: Chris Hodgins <chodgins@cis.strath.ac.uk> Subject: Re: Sharing directories with jails Message-ID: <200503031316.56083.mistry.7@osu.edu> In-Reply-To: <42274C9D.4000107@cis.strath.ac.uk> References: <4227164D.3050103@cis.strath.ac.uk> <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> <42274C9D.4000107@cis.strath.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2607500.p0zsMTOczU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: > Ean Kingston wrote: > >>How dangerous is it to share the ports directory with jails on > >> the system? I am using the jails to give other access to a > >> freebsd system. You can assume they are untrusted (hence the > >> jail ;)). > >> > >>Is it enough just to: > >>ln -s /usr/ports /usr/jail/ajail/usr/ports > > > > That won't work. The jail does a chroot (along with other things) > > when it starts up so the link inside the jail will wind up > > pointing to itself. > > Doh! :) > > > The only way I've been able to figure out how to do something > > like that is by running an NFS server outside the jail and then > > run an NFS client inside the jail to get access to the disk space > > outside the jail via NFS. I actually have a separate jail for the > > NFS server and export everything read-only. > > Interesting idea. > > > Now, I'm sure you've thought of this but I'm going to say it for > > anyone reading the archives. You do know that giving the jailed > > processes access to anything outside the jail will reduce the > > security advantages of having a jail in the first place? > > Well I wasn't sure about this...hence the question. > > > Besides, why would you provide a jailed process with access to > > development tools? You are just making it much easier for anyone > > with access to the jail to build/install software to help them > > break out of the jail. > > > >>Thanks > >>Chris > > Ok perhaps I should clarify what my intentions are a little more.=20 > I am planning on providing a FreeBSD jail for any member of a geek > society I am a member of. When I say they are untrusted, I mean > that I won't be giving them full root access to my server but I > trust them enough not to do anything malicious inside a jail. It > is just like a fun place they can play and not have to worry to > much about breaking things. > > How easy is it exactly to break out of a jail if you have access to > development tools? > http://www.securiteam.com/unixfocus/5WP031535U.html If you use securelevels you can a sigificantly improve security. =2D-=20 Anish Mistry --nextPart2607500.p0zsMTOczU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCJ1SYxqA5ziudZT0RAt8ZAKCyB1lEOeMV7NTc9fneq37DTClz/wCgrKH5 ybxWwJpd+FbnjyyRrolo1UM= =NKxO -----END PGP SIGNATURE----- --nextPart2607500.p0zsMTOczU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503031316.56083.mistry.7>