From owner-freebsd-questions@FreeBSD.ORG Thu Mar 3 16:03:55 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81C0316A4CE for ; Thu, 3 Mar 2005 16:03:55 +0000 (GMT) Received: from prosporo.hedron.org (hedron.org [66.11.182.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 933CC43D41 for ; Thu, 3 Mar 2005 16:03:54 +0000 (GMT) (envelope-from ean@hedron.org) Received: from www.hedron.org (localhost.hedron.org [127.0.0.1]) by prosporo.hedron.org (Postfix) with ESMTP id 73D99C120; Thu, 3 Mar 2005 11:04:32 -0500 (EST) Received: from 216.220.59.169 (SquirrelMail authenticated user ean); by www.hedron.org with HTTP; Thu, 3 Mar 2005 11:04:32 -0500 (EST) Message-ID: <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> In-Reply-To: <4227164D.3050103@cis.strath.ac.uk> References: <4227164D.3050103@cis.strath.ac.uk> Date: Thu, 3 Mar 2005 11:04:32 -0500 (EST) From: "Ean Kingston" To: "Chris Hodgins" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-questions@freebsd.org Subject: Re: Sharing directories with jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 16:03:55 -0000 > How dangerous is it to share the ports directory with jails on the > system? I am using the jails to give other access to a freebsd system. > You can assume they are untrusted (hence the jail ;)). > > Is it enough just to: > ln -s /usr/ports /usr/jail/ajail/usr/ports That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself. The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client inside the jail to get access to the disk space outside the jail via NFS. I actually have a separate jail for the NFS server and export everything read-only. Now, I'm sure you've thought of this but I'm going to say it for anyone reading the archives. You do know that giving the jailed processes access to anything outside the jail will reduce the security advantages of having a jail in the first place? Besides, why would you provide a jailed process with access to development tools? You are just making it much easier for anyone with access to the jail to build/install software to help them break out of the jail. > Thanks > Chris -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/