From owner-freebsd-stable@FreeBSD.ORG Sun Feb 16 15:18:09 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 799E8A8F for ; Sun, 16 Feb 2014 15:18:09 +0000 (UTC) Received: from moof.catpipe.net (moof.catpipe.net [194.28.252.64]) by mx1.freebsd.org (Postfix) with ESMTP id 33FD715DC for ; Sun, 16 Feb 2014 15:18:08 +0000 (UTC) Received: from localhost (moof.catpipe.net [194.28.252.64]) by localhost.catpipe.net (Postfix) with ESMTP id 475DF4CEA9B; Sun, 16 Feb 2014 16:13:00 +0100 (CET) Received: from moof.catpipe.net ([194.28.252.64]) by localhost (moof.catpipe.net [194.28.252.64]) (amavisd-new, port 10024) with ESMTP id kudSAQzXnmKL; Sun, 16 Feb 2014 16:12:59 +0100 (CET) Received: from macbook.bluepipe.net (unknown [175.139.232.82]) (Authenticated sender: relayuser) by moof.catpipe.net (Postfix) with ESMTPA id 8571A4CE9B7; Sun, 16 Feb 2014 16:12:59 +0100 (CET) Received: by macbook.bluepipe.net (Postfix, from userid 1001) id 1109B1C7A5B5; Sun, 16 Feb 2014 23:12:57 +0800 (MYT) Date: Sun, 16 Feb 2014 23:12:57 +0800 From: Phil Regnauld To: "A.J. 'Fonz' van Werven" Subject: Re: Should I use jail? Message-ID: <20140216151257.GP71201@macbook.bluepipe.net> References: <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140216142824.GA25883@spectrum.skysmurf.nl> X-Operating-System: Darwin 13.0.0 x86_64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Feb 2014 15:18:09 -0000 A.J. 'Fonz' van Werven (freebsd) writes: > Thomas Steen Rasmussen wrote: > > > For what it's worth I never, ever run any service without running it in > > a jail. > > Smartass comment: if that includes ntpd or a master NIS server, would you > care to divulge how you did that? I don't know why the NIS server would be any different, but for services that require access to devices (say, ntpd talking to a GPS over USB), you define new devfs rules to unhide the requisite /dev/ entries for the jails running the service. I do this for OpenDNSSEC using a smartcard reader. Here's a devfs.conf entry to make it possible to access BPF (for tcpdump among other things - but beware of giving access to raw devices this way) and ugen* devices under /dev/ [devfsrules_jail_bpf=5] add include $devfsrules_jail add path 'bpf*' unhide add path 'ugen0.*' unhide Cheers, Phil