Date: Mon, 22 Sep 2008 08:43:32 +0200 (CEST) From: Konrad Heuer <kheuer2@gwdg.de> To: Matt Fioravante <fmatthew5876@gmail.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: Shared /usr in jails Message-ID: <20080922083941.Q49951@gwdu60.gwdg.de> In-Reply-To: <3eca10930809212301t207b6d08p26eb27294350227a@mail.gmail.com> References: <3eca10930809212301t207b6d08p26eb27294350227a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Sep 2008, Matt Fioravante wrote: > I want to implement a number of jails for different services on a single > box. > > Since /usr is the same everywhere I'd like to just mount one copy of it > read-only to all the jails and then have them each have their own /usr/local > > Someone recommended keeping the main system's /usr separate. This would mean > building a /usr for the main system and then making a copy of it > to be shared by the jails. > > Aesthetics and philosophy aside, are there any real security holes in just > using the systems /usr everywhere if it is mounted read only in the jails? > THis seems to be the > approach used by solaris zones. For a couple of years, I shared /usr on a dozen of hosts by NFS. Worked fine, but I mounted it read-only on all but one box. Thus, I had to symlink very few files or directories out from /usr to /var. For security and reliability, I'd recommend to limit read-write access to /usr. Best regards Konrad Heuer GWDG, Am Fassberg, 37077 Goettingen, Germany, kheuer2@gwdg.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080922083941.Q49951>