From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 14 18:26:03 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D50AE16A417
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Nov 2007 18:26:03 +0000 (UTC)
	(envelope-from erik@cederstrand.dk)
Received: from mail.itu.dk (pluto.itu.dk [130.226.142.18])
	by mx1.freebsd.org (Postfix) with ESMTP id 90E8E13C45A
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Nov 2007 18:26:02 +0000 (UTC)
	(envelope-from erik@cederstrand.dk)
Received: from localhost (unknown [10.0.0.3])
	by mail.itu.dk (Postfix) with ESMTP id 6361F36F384;
	Wed, 14 Nov 2007 19:20:30 +0100 (CET)
X-Virus-Scanned: amavisd-new at itu.dk
Received: from superman.itu.dk ([130.226.142.5])
	by localhost (daredevil.itu.dk [130.226.142.26]) (amavisd-new,
	port 10024)
	with ESMTP id wtqHJret+0YH; Wed, 14 Nov 2007 19:20:15 +0100 (CET)
Received: from wimac.littlebit.dk (unknown [85.233.238.191])
	by superman.itu.dk (Postfix) with ESMTP id 05FEE9E6CE;
	Wed, 14 Nov 2007 19:20:12 +0100 (CET)
Message-ID: <473B3C56.5020103@cederstrand.dk>
Date: Wed, 14 Nov 2007 19:20:06 +0100
From: Erik Cederstrand <erik@cederstrand.dk>
User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031)
MIME-Version: 1.0
To: Matt Fioravante <fmatthew5876@gmail.com>
References: <3eca10930711140740gb8c2b88v6a13795c41e3eafb@mail.gmail.com>
In-Reply-To: <3eca10930711140740gb8c2b88v6a13795c41e3eafb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Jails and multicore boxes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2007 18:26:03 -0000

Matt Fioravante wrote:
> I've heard that things like freebsd jails or solaris zones can still
> be insecure on multicore boxes because a race condition can occur. I
> don't know more details about it other than that. Is this true now on
> freebsd?

There's always the possibility that a bug exists which lets you break 
out of a jail and give you access to the host system.

> Also, I have a home server which I'm considering running apache, bind,
> dhcp, and possiblty opening ports for some other services. Is it
> overkill to run all of these each  in their own jail?

You'll have to answer that yourself. How valuable is your data? What are 
you trying to protect? If you're worrying about getting cracked and used 
as a spam bot, jails are no more secure than a non-jail system.

Erik