From owner-freebsd-questions@FreeBSD.ORG Fri Mar 4 15:24:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 662C816A4CE for ; Fri, 4 Mar 2005 15:24:26 +0000 (GMT) Received: from smtp.cm.utexas.edu (smtp.cm.utexas.edu [146.6.135.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29D7743D1D for ; Fri, 4 Mar 2005 15:24:26 +0000 (GMT) (envelope-from virenp@mail.utexas.edu) Received: from mail.cm.utexas.edu (smtp.cm.utexas.edu [146.6.135.3]) by smtp.cm.utexas.edu (Postfix) with ESMTP id A2B7A6D448; Fri, 4 Mar 2005 09:24:25 -0600 (CST) Received: from 146.6.178.5 (SquirrelMail authenticated user virenp) by mail.cm.utexas.edu with HTTP; Fri, 4 Mar 2005 09:24:25 -0600 (CST) Message-ID: <32824.146.6.178.5.1109949865.squirrel@mail.cm.utexas.edu> In-Reply-To: <200503031815.04158.mistry.7@osu.edu> References: <4227164D.3050103@cis.strath.ac.uk> <200503031316.56083.mistry.7@osu.edu> <4011.216.220.59.169.1109888589.squirrel@216.220.59.169> <200503031815.04158.mistry.7@osu.edu> Date: Fri, 4 Mar 2005 09:24:25 -0600 (CST) From: "Viren Patel" To: "Anish Mistry" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-questions@freebsd.org Subject: Re: Sharing directories with jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: virenp@mail.utexas.edu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 15:24:26 -0000 > On Thursday 03 March 2005 05:23 pm, Ean Kingston wrote: >> > On Thursday 03 March 2005 12:42 pm, Chris Hodgins >> wrote: >> >> [cut original question and answer] >> >> >> Ok perhaps I should clarify what my intentions are a >> little >> >> more. I am planning on providing a FreeBSD jail for >> any member >> >> of a geek society I am a member of. When I say they >> are >> >> untrusted, I mean that I won't be giving them full >> root access >> >> to my server but I trust them enough not to do >> anything >> >> malicious inside a jail. It is just like a fun place >> they can >> >> play and not have to worry to much about breaking >> things. >> >> >> >> How easy is it exactly to break out of a jail if you >> have access >> >> to development tools? >> > >> > http://www.securiteam.com/unixfocus/5WP031535U.html >> >> How current is this? The article appears to be dated >> 2001. Are >> there still buffer-overflow issues with /proc? >> > > 5.3 and later no longer need proc and it's not mounted by > default. > >> > If you use securelevels you can a sigificantly improve >> security. > > -- > Anish Mistry > The jail manpage instructs to mount proc when starting a jail and the /etc/rc.d/jail scripts mounts both devfs and procfs. Are you saying this is not needed and if so why and how to disable? Thanks. -- Viren Patel