Date: Fri, 30 Nov 2001 22:44:50 +0300 (MSK) From: "."@babolo.ru To: part_lion@hotmail.com (Joesh Juphland) Cc: hackers@FreeBSD.ORG Subject: Re: more on jail - suitable for multi user system ? Message-ID: <200111301944.WAA05829@aaz.links.ru> In-Reply-To: <F120iPXkmCJiLyNfHgI000142c0@hotmail.com> from "Joesh Juphland" at "Nov 30, 1 00:16:50 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Joesh Juphland writes: > One thing I would like to do as a hobby is start a classic multi-user unix > system and giving out shell accounts to whoever wants one. Not a money > maker, of course, but it would be fun. > > My question: does anyone have any comments on using `jail` in a public > environment like this - that is, instead of giving away individual shell > accounts, you would give away individual "jails" - basically a whole > seperate machine with its own IP and own root access, etc. ? Full jailes (that is - every jail has running sshd) requires different IP for every jail. Big IP alias list for one interface is needed. I think about whole network assignment instead of only host address for interface. It is possible sharing same IP different ports. I usually mount /etc into jail read only to prevent changes in port/jail mapping at startup and restrict local_startup="/etc/rc.d" I have startup script that automatically assigns IP and mounts for starting jail. The down side of jailed shell is restrictions for raw sockets (no ping and traceroute) and shared memory. > I am not asking about the commercial viability - it's just a hobby system. > But in terms of limiting resources (so no one user bogs down the whole > system) and in terms of security (nobody can turn rogue and bring down / > compromise the system) is this a viable option ? Jail is not ideal but is better then with no jail. There is another answer in list about resourses. > Or is jail best kept to environments where the users are in-house (trusted) Best untrasted user is dead user :-) best live untrasted user is jailed. > Another way of asking this would be, was jail developed for, and best used > for, creating a safe area for daemons like httpd, or was it developed with > running many full-blown independent systems on a single machine in mind ? I don't know developer's mind, but safe area for daemons like pop smtpd(any kind) named ntpd (in-pair with non-jailed ntpd) so on created by jail is good enough now. /bin/sh and friends are evils even in jail. > _any_ comments appreciated. Sorry, my English is worse then my knowledge. -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111301944.WAA05829>