From owner-freebsd-security Wed May 17 9: 8:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id 0EDB337BC87; Wed, 17 May 2000 09:08:06 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from bone.nectar.com (bone.nectar.com [10.0.1.105]) by gw.nectar.com (Postfix) with ESMTP id F1A989B10; Wed, 17 May 2000 11:08:04 -0500 (CDT) Received: by bone.nectar.com (Postfix, from userid 1001) id EC3C81DAB; Wed, 17 May 2000 11:07:58 -0500 (CDT) Date: Wed, 17 May 2000 11:07:58 -0500 From: "Jacques A . Vidrine" To: Robert Watson Cc: Geoffrey Robinson , security@freebsd.org Subject: Re: Jail: Problems? Proper Usage? Status? Practicality? Message-ID: <20000517110758.C6884@bone.nectar.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from rwatson@freebsd.org on Wed, May 17, 2000 at 11:05:07AM -0400 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 17, 2000 at 11:05:07AM -0400, Robert Watson wrote: > Jail works by: > > 1) Chrooting the child process > 2) Limiting the scope of superuser privileges accessible by uid0 processes > in the jail 3) Limiting network access to a single IP address [snip] > Right now, each jail costs you the size of > world, and is hard to upgrade if you have any decent number of jails. You don't need the whole world depending on what you are doing. If a jail is setup for the purposes of a single application (which I expect is the most common scenario), you only need the files that support it. Upgrading the jail is simple if you created a script to create the jail in the first place -- you re-run the script after upgrading the base system. For me the real problem with this scheme is producing the script for building a jail in the first place. I do it by hand. One of these days I'd like to try writing an application that can generate a first-draft script for building a jail, given a list of applications that need to run in the jail. I think it might be nifty to do this based on the output of a ktrace on the target applications during a test run. > Storing all that stuff in a single tree mapped read-only into jails would > solve that (you'd probably want two so you could upgrade one, test it, and > then swap to that for all jails so as to minimize downtime). I don't think you want this unless the purpose of your jail is to provide a `complete virtual server' for shell access et. al. I don't want e.g. `cc' or `sync' or most of the things in `/dev' to be available to a jailed process. > I'll gather up my notes on possible improvements and post them to > -security sometime in the next week or two. Thanks! Yay, thanks Robert! -- Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message