From owner-freebsd-questions Mon Mar 12 17:26:24 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk-systems.com (hawk-systems.com [161.58.152.235]) by hub.freebsd.org (Postfix) with ESMTP id E2A6237B718 for ; Mon, 12 Mar 2001 17:26:10 -0800 (PST) (envelope-from dave@hawk-systems.com) Received: from server0 (cr1032856-a.pr1.on.wave.home.com [24.112.146.66]) by hawk-systems.com (8.8.8) id SAA68958 for ; Mon, 12 Mar 2001 18:26:00 -0700 (MST) From: "Dave VanAuken" To: Subject: RE: FreeVSD for FreeBSD? Date: Mon, 12 Mar 2001 20:35:54 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200103122333.KAA10180@tungsten.austclear.com.au> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG so all and all, still alot of time and coding required, and you pretty much massacre the jail and its function by doing that... the other option is chrooting all the relevant required applications individually, or creating safe copies of them (a la Verio virtual servers). Again, back to the lots of coding and time. No one has a prepackaged FreeVSD type of port for FreeBSD? Dave -----Original Message----- From: Tony Landells [mailto:ahl@austclear.com.au] Sent: Monday, March 12, 2001 6:33 PM To: Dave VanAuken Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FreeVSD for FreeBSD? dave@hawk-systems.com said: > was averaging about 200mb per jail, this was with only token reduction > in un-needed files(no serious pruning) and with inclusion of port > sources for common entried such as MySQL, PHP, and so forth. Hard > linking them could be an option though I have not explored the > ramifications of: > 1) linking to a source outside of the jail(chrooted environment) Well, you can't hard link to a file on a different file system, but otherwise it is a reference to the inode itself and as such doesn't care about chroot. Of course, you still need any dynamic libraries as well. And by doing this you're bypassing one of the big security advantages of a jail, because someone breaking into a jail can corrupt the hard linked files, affecting every jail (and the server) that uses them. If you were to give someone root access in their jail, they could "update" software to the detriment of others, particularly if they're experimenting with, for example, perl and decide that they need some customisation, but their version dumps core. They might think "it doesn't matter, I'll sleep on it and come back to it tomorrow", while other users are tearing their hair out because their Web site is down, or something that worked yesterday has stopped working, ... > 2) the problem of cvsuping the root(host) server and > dealing with the jail's relianced on hard linked portions of the tree > that are cvsup'ed without rebuilding the jails (this is a major > pitfall of jail as I see it) It depends how you build things. Since the hard link is a reference to the inode, if you just change the file contents you're fine (well, assuming it works--see my previous paragraph). However, if you build by recreating files (either moving or removing the original, then create a new file with the same name) then you lose because the hard link will refer to the original inode and thus won't pick up the change. A lot of this depends on whether you're using jail for convenience or security, and whether you intend to give root access in jails to their "owners". Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message