Date: Sun, 29 Jul 2007 11:57:45 -0700 From: Paul Hoffman <phoffman@proper.com> To: freebsd-jail@freebsd.org Subject: What to put in devfs for a typical jail Message-ID: <p0624081fc2d292d4ed73@[10.20.30.108]>
next in thread | raw e-mail | index | archive | help
Greetings. I want to set up a jail for a web server. It only needs to access the things a normal system would (its own disk space, the network controller, the keyboard, and so on). I need to be SSHing into the jailed system to control it. The manpage for jail says: NOTE: It is important that only appropriate device nodes in devfs be exposed to a jail; access to disk devices in the jail may permit pro- cesses in the jail to bypass the jail sandboxing by modifying files out- side of the jail. See devfs(8) for information on how to use devfs rules to limit access to entries in the per-jail devfs. What should I do for /etc/devfs.rules on the host? What should I be excluding?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0624081fc2d292d4ed73>