From owner-freebsd-questions@FreeBSD.ORG Mon Mar 7 16:16:25 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9798A16A4CE for ; Mon, 7 Mar 2005 16:16:25 +0000 (GMT) Received: from www.wcborstel.nl (wcborstel.demon.nl [82.161.134.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8D8E43D54 for ; Mon, 7 Mar 2005 16:16:22 +0000 (GMT) (envelope-from jorn@wcborstel.nl) Received: from localhost (localhost [127.0.0.1]) by www.wcborstel.nl (Postfix) with ESMTP id 2B24C425C; Mon, 7 Mar 2005 17:18:53 +0100 (CET) Received: from www.wcborstel.nl ([127.0.0.1]) by localhost (www.wcborstel.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86878-03; Mon, 7 Mar 2005 17:18:46 +0100 (CET) Received: from www.wcborstel.nl (localhost [127.0.0.1]) by www.wcborstel.nl (Postfix) with ESMTP id 6465B408C; Mon, 7 Mar 2005 17:18:46 +0100 (CET) From: "Jorn Argelo" To: Frank de Bot , freebsd-questions@freebsd.org Date: Mon, 7 Mar 2005 17:18:46 +0100 Message-Id: <20050307161304.M78434@wcborstel.nl> In-Reply-To: <422C7B99.5010504@searchy.net> References: <422C7B99.5010504@searchy.net> X-Mailer: Open WebMail 2.50 20050106 X-OriginatingIP: 193.172.19.20 (jorn) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Virus-Scanned: by amavisd-new at mail.wcborstel.nl Subject: Re: Jail security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 16:16:25 -0000 On Mon, 07 Mar 2005 17:04:41 +0100, Frank de Bot wrote > Hi, > > I've set up a jail. But I don't have any idea how safe a jail is. > Often is told chroot and jails can be escaped. How safe is it to > give other people user access to a jailed environment? or maybe even > root... A jailed process cannot leave its jail. Unless some exploit is being found in jail itself, but that's rather unlikely. A cracker can only mess up your jail and not your entire host. So if you build 4 jails for Apache, MySQL, Squid and Postfix for instance, each of those processes will only run in its jail and cannot interact with another jail or the host. Which is more secure then just putting everything on your host. Another major advantage of jails is that you can experiment at will without touching your production enviroment. Just create a jail and install apache in the other jail. Once you are finished and it works, just amend your firewall settings and you're ready to go. If you're experienced enough I'd encourage you to use them. It can be complicated for a newbie, but if you know your way around FreeBSD and the command line, you should really use jails. Jorn.