From owner-freebsd-questions@FreeBSD.ORG Thu Mar 3 18:12:56 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52C8E16A4CE for ; Thu, 3 Mar 2005 18:12:56 +0000 (GMT) Received: from crumpet.united-ware.com (ddsl-66-42-172-210.fuse.net [66.42.172.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94D4843D2D for ; Thu, 3 Mar 2005 18:12:55 +0000 (GMT) (envelope-from mistry.7@osu.edu) Received: from [192.168.1.100] (adsl-68-252-59-28.dsl.wotnoh.ameritech.net [68.252.59.28]) (authenticated bits=0)j23HiZlu083632 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 3 Mar 2005 12:44:36 -0500 (EST) (envelope-from mistry.7@osu.edu) From: Anish Mistry To: freebsd-questions@freebsd.org Date: Thu, 3 Mar 2005 13:16:49 -0500 User-Agent: KMail/1.7 References: <4227164D.3050103@cis.strath.ac.uk> <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> <42274C9D.4000107@cis.strath.ac.uk> In-Reply-To: <42274C9D.4000107@cis.strath.ac.uk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2607500.p0zsMTOczU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503031316.56083.mistry.7@osu.edu> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on crumpet.united-ware.com cc: Chris Hodgins Subject: Re: Sharing directories with jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 18:12:56 -0000 --nextPart2607500.p0zsMTOczU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: > Ean Kingston wrote: > >>How dangerous is it to share the ports directory with jails on > >> the system? I am using the jails to give other access to a > >> freebsd system. You can assume they are untrusted (hence the > >> jail ;)). > >> > >>Is it enough just to: > >>ln -s /usr/ports /usr/jail/ajail/usr/ports > > > > That won't work. The jail does a chroot (along with other things) > > when it starts up so the link inside the jail will wind up > > pointing to itself. > > Doh! :) > > > The only way I've been able to figure out how to do something > > like that is by running an NFS server outside the jail and then > > run an NFS client inside the jail to get access to the disk space > > outside the jail via NFS. I actually have a separate jail for the > > NFS server and export everything read-only. > > Interesting idea. > > > Now, I'm sure you've thought of this but I'm going to say it for > > anyone reading the archives. You do know that giving the jailed > > processes access to anything outside the jail will reduce the > > security advantages of having a jail in the first place? > > Well I wasn't sure about this...hence the question. > > > Besides, why would you provide a jailed process with access to > > development tools? You are just making it much easier for anyone > > with access to the jail to build/install software to help them > > break out of the jail. > > > >>Thanks > >>Chris > > Ok perhaps I should clarify what my intentions are a little more.=20 > I am planning on providing a FreeBSD jail for any member of a geek > society I am a member of. When I say they are untrusted, I mean > that I won't be giving them full root access to my server but I > trust them enough not to do anything malicious inside a jail. It > is just like a fun place they can play and not have to worry to > much about breaking things. > > How easy is it exactly to break out of a jail if you have access to > development tools? > http://www.securiteam.com/unixfocus/5WP031535U.html If you use securelevels you can a sigificantly improve security. =2D-=20 Anish Mistry --nextPart2607500.p0zsMTOczU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCJ1SYxqA5ziudZT0RAt8ZAKCyB1lEOeMV7NTc9fneq37DTClz/wCgrKH5 ybxWwJpd+FbnjyyRrolo1UM= =NKxO -----END PGP SIGNATURE----- --nextPart2607500.p0zsMTOczU--