Date: Tue, 2 Apr 2002 18:14:02 -0700 From: "David G . Andersen" <danderse@cs.utah.edu> To: freebsd-security@freebsd.org Subject: Jail with one IP? Message-ID: <20020402181402.A27138@cs.utah.edu>
next in thread | raw e-mail | index | archive | help
Does anyone have warnings / experience with how Jail will behave
when used with a single IP address, as "chroot++"?
What I'm really looking for is something that's a
hybrid between chroot and jail; my machines have only a single IP address,
but I'd like the benefit of a real Jail environment, that people can access
through an sshd started on a different port from within the jail.
It seems to have the dangers one would expect - root inside the jail can bind
TCP ports that take over those from the external jail environment (highly
bummer), but these can likely be fixed with a little bit of hackery,
or very easily by denying binding to ports < 1024 from the jail environment..
are there any other caveats of which I should be aware before heading down
this road? Or has anyone else done this before and has lots of good advice?
TIA,
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020402181402.A27138>