From owner-freebsd-security  Wed May 17 13:45:23 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.wzrd.com (mail.wzrd.com [206.99.165.3])
	by hub.freebsd.org (Postfix) with ESMTP id 0F64837BD94
	for <freebsd-security@freebsd.org>; Wed, 17 May 2000 13:45:21 -0700 (PDT)
	(envelope-from danh@wzrd.com)
Received: by mail.wzrd.com (Postfix, from userid 91)
	id 79FDB5D053; Wed, 17 May 2000 16:45:19 -0400 (EDT)
Date: Wed, 17 May 2000 16:45:19 -0400
From: Dan Harnett <danh@wzrd.com>
To: "Jacques A . Vidrine" <n@nectar.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Jail: Problems? Proper Usage? Status? Practicality?
Message-ID: <20000517164519.A79630@mail.wzrd.com>
References: <20000517110758.C6884@bone.nectar.com> <Pine.NEB.3.96L.1000517123129.20229D-100000@fledge.watson.org> <20000517152621.A48218@bone.nectar.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <20000517152621.A48218@bone.nectar.com>; from n@nectar.com on Wed, May 17, 2000 at 03:26:21PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello, 

On Wed, May 17, 2000 at 03:26:21PM -0500, Jacques A . Vidrine wrote:
> On Wed, May 17, 2000 at 12:41:49PM -0400, Robert Watson wrote:
> > Simple, but costly.  Imagine for a moment that you have 700 jails on a
> > single machine, and you'd like to be able to consistently announce to all
> > admins of all jails that a version upgrade is taking place on 5/16/2000,
> > and the downtime is one hour :-).  I'd rather have a single file system
> > exported to all jails, saving space and time.
> 
> For a jail running apache+php+ssl (a fairly complex application), I
> have ~3.4 MB of files from the base system (35 files).  This isn't
> very large.  One need only store the file once per filesystem (hard
> links).

Isn't there a downside to that as well?  Unless the files are read-only, if 
one jail should get compromised any common shared files could actually lead to
holes in the remaining jails.  An example being a modified sshd or telnetd.

-- 
 Dan Harnett                                Wizard Communication Systems, Inc.
 Email: danh@wzrd.com                       2 Main Street
 Phone: (716) 743-0091                      Tonawanda, NY  14150


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message