From owner-freebsd-security  Tue Apr  2 17:14: 9 2002
Delivered-To: freebsd-security@freebsd.org
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id 68A1937B405
	for <freebsd-security@freebsd.org>; Tue,  2 Apr 2002 17:14:04 -0800 (PST)
Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114])
	by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g331E3T28811
	for <freebsd-security@freebsd.org>; Tue, 2 Apr 2002 18:14:03 -0700 (MST)
Received: by famine.cs.utah.edu (Postfix, from userid 2146)
	id CCDA323A83; Tue,  2 Apr 2002 18:14:02 -0700 (MST)
Date: Tue, 2 Apr 2002 18:14:02 -0700
From: "David G . Andersen" <danderse@cs.utah.edu>
To: freebsd-security@freebsd.org
Subject: Jail with one IP?
Message-ID: <20020402181402.A27138@cs.utah.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Does anyone have warnings / experience with how Jail will behave
when used with a single IP address, as "chroot++"?  
What I'm really looking for is something that's a
hybrid between chroot and jail;  my machines have only a single IP address,
but I'd like the benefit of a real Jail environment, that people can access
through an sshd started on a different port from within the jail.

It seems to have the dangers one would expect - root inside the jail can bind
TCP ports that take over those from the external jail environment (highly
bummer), but these can likely be fixed with a little bit of hackery, 
or very easily by denying binding to ports < 1024 from the jail environment..
are there any other caveats of which I should be aware before heading down
this road?  Or has anyone else done this before and has lots of good advice?

TIA,

   -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message