Date: Tue, 13 Jul 2010 20:21:05 +0200 From: Julian Fagir <gnrp@gnrp.in-berlin.de> To: freebsd-questions@freebsd.org Subject: Re: Clarification: "Jail" -vs- "Chroot" Message-ID: <20100713202105.3be41324@adolfputzen> In-Reply-To: <AANLkTimdPaIJgfhmJ1r6I1M9AoZUzcKLrnqxcnr3XIvK@mail.gmail.com> References: <AANLkTimdPaIJgfhmJ1r6I1M9AoZUzcKLrnqxcnr3XIvK@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > 1.) FreeBSD has both "chroot" capability as well as "jail" capability. Yes, it has both of them. You still want to use chroot, also it is kind of 'part' of a jail (technically perhaps it's implemented separately). > 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? In Solaris, you have zones, and there are several projects to do the same thing with Linux (Linux-vserver etc). > 3.) When reading something (book, article, etc.), is there a way to > determine if the author is, in fact, talking about truly a "jail" or > are they really just referring to a "chroot" environment? For example, > I have a book ("Preventing web attacks with Apache") that says: > > "Chroot is short for change root and essentially allows you to run > programs in a protected or jailed environment. The main benefit of a > chroot jail is that the jail will limit the portion of the file system > the daemon can see to the root directory of the jail. Additionally, > since the jail only needs to support Apache, the programs available in > the jail can be extremely limited." Usually, only FreeBSD-specific books will talk about jails, as chroot is the generic Unix-way for that. Anyway, in many cases you can use a jail for the same things a chroot-environment is talked about. In this case, I think he's really talking about a chroot, as he's only talking about the file system, not the network etc. > 4.) Jail is the more secure of the two options? I cannot really answer this, but a jail is the more separated way. So, I would say, a jail is more secure. If the extras of a jail are not needed, it is perhaps more insecure, as there are more points to break into theu system. But, don't rely on my answer, I never looked at the kernel-side of jails the very technical way. > 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd > edition of "Absolute FreeBSD" says: > > "Chrooting is useful for web servers that have multiple clients on one > machine—that is, web servers with many virtual hosts." On the FreeBSD-machines I manage, I use chroot for the services that are not that security-relevant or can easily be separated, i.e. on some distributions you can put your apache or bind easily into a chroot-environment. Also, a chroot-environment can have other targets than a jail, e.g. if you only want to have another file system-visibility instead of a new jail as you do when you have to start with a live-cd into a non-booting system. Sorry for my English. :) Regards, Julian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100713202105.3be41324>