Date: Sun, 16 Feb 2014 23:12:57 +0800 From: Phil Regnauld <regnauld@x0.dk> To: "A.J. 'Fonz' van Werven" <freebsd@skysmurf.nl> Cc: freebsd-stable@freebsd.org Subject: Re: Should I use jail? Message-ID: <20140216151257.GP71201@macbook.bluepipe.net> In-Reply-To: <20140216142824.GA25883@spectrum.skysmurf.nl> References: <CAA_8tFq7JNw0=nqz5ByyfJs8cyEu%2B5z%2Bsry=NESViegUSZBJ0Q@mail.gmail.com> <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
A.J. 'Fonz' van Werven (freebsd) writes: > Thomas Steen Rasmussen wrote: > > > For what it's worth I never, ever run any service without running it in > > a jail. > > Smartass comment: if that includes ntpd or a master NIS server, would you > care to divulge how you did that? I don't know why the NIS server would be any different, but for services that require access to devices (say, ntpd talking to a GPS over USB), you define new devfs rules to unhide the requisite /dev/ entries for the jails running the service. I do this for OpenDNSSEC using a smartcard reader. Here's a devfs.conf entry to make it possible to access BPF (for tcpdump among other things - but beware of giving access to raw devices this way) and ugen* devices under /dev/ [devfsrules_jail_bpf=5] add include $devfsrules_jail add path 'bpf*' unhide add path 'ugen0.*' unhide Cheers, Phil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140216151257.GP71201>