From owner-freebsd-hackers@FreeBSD.ORG Sun Mar 13 11:59:04 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80BD516A4CE for ; Sun, 13 Mar 2005 11:59:04 +0000 (GMT) Received: from smtphost.cis.strath.ac.uk (smtphost.cis.strath.ac.uk [130.159.196.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id C808B43D1F for ; Sun, 13 Mar 2005 11:59:03 +0000 (GMT) (envelope-from chodgins@cis.strath.ac.uk) Received: from [192.168.0.4] (chrishodgins.force9.co.uk [84.92.20.141]) j2DBwtNU011489; Sun, 13 Mar 2005 11:58:55 GMT Message-ID: <42342C47.209@cis.strath.ac.uk> Date: Sun, 13 Mar 2005 12:04:23 +0000 From: Chris Hodgins User-Agent: Mozilla Thunderbird 1.0 (X11/20050204) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Denis Shaposhnikov References: <1107178792.613.22.camel@spirit> <20050131161006.GD60177@obiwan.tataz.chchile.org> <51723.81.84.175.77.1107199764.squirrel@81.84.175.77> <1110689557.890.73.camel@localhost> <87d5u33j51.fsf@neva.vlink.ru> In-Reply-To: <87d5u33j51.fsf@neva.vlink.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CIS-MailScanner-Information: Please contact support@cis.strath.ac.uk for more information X-CIS-MailScanner: Found to be clean X-CIS-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9, required 6, autolearn=not spam, BAYES_00 -4.90) X-CIS-MailScanner-From: chodgins@cis.strath.ac.uk cc: freebsd-hackers@freebsd.org cc: security@revolutionsp.com cc: Frank Knobbe Subject: Re: Idea about 'skeleton jail X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2005 11:59:04 -0000 Denis Shaposhnikov wrote: >>>>>>"Frank" == Frank Knobbe writes: > > > Frank> If you nullfs these directories, you loose the ability to > Frank> prune the jail. Pruning is part of system hardening. I'd > > May be it's better to use unionfs, so anybody can replace binaries > with their stub version pre jail. > This might be a very stupid idea but how about a jailfs. Now I don't know all that much about filesystem design so bear with me. How about something like this: # ls /usr/jail fulljail smalljail fulljail.conf smalljail.conf # cd /usr/jail/fulljail # ls dev etc home # cat ../fulljail.conf allow-all read-only ignore /dev /etc /usr/home allow read-write /usr/ports/distfiles # cd ../smalljail # ls # cat ../smalljail.conf ignore-all allow read-only /bin /usr/bin allow read-write /usr/home # cd /usr/jail # jail /usr/jail/fulljail fulljail 127.0.0.1 /bin/sh /etc/rc # jexec 1 ls COPYRIGHT boot compat dist etc lib mnt rescue sbin sys usr bin cdrom dev entropy home libexec proc root stand tmp var # jail /usr/jail/smalljail smalljail 127.0.0.1 /bin/sh /home/myhome/specialtask.sh # jexec 2 ls bin usr home # SO the jail filesystem is configured at jail-creation time and uses the hosts files or jail files depending on the configuration. Might have to pass the config file into the jail command. As I said I am not an expert. Mabye one of the experts could let me know what they think? Chris