From owner-freebsd-security Thu May 18 7:47:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6489937B5D8 for ; Thu, 18 May 2000 07:47:08 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA29232; Thu, 18 May 2000 10:47:03 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 18 May 2000 10:47:03 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Geoffrey Robinson Cc: security@freebsd.org Subject: Re: Jail: Problems? Proper Usage? Status? Practicality? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 May 2000, Geoffrey Robinson wrote: > On Wed, 17 May 2000, Robert Watson wrote: > > > Jail works by: > > > > 1) Chrooting the child process > > 2) Limiting the scope of superuser privileges accessible by uid0 processes > > in the jail > > > > It does not attempt to prevent processes outside the jail from > > communicating with processes within the jail. As such, having a process > > do so wouldn't defeat the jail per se, but would defeat the purpose of the > > jail :-). > > Still, like any network service the security impact would depend on how > well the server application was written not on the fact you have a link to > the host system. Right? The point of jail() is to limit the scope of compromise, if any, to within the jail. As such, the integrity of a jail should rest with the applications that run in it, but the integrity of the host should not. I.e., one of the intended environments for jail use is a delegation model wherein virtual subsystems are provided to individuals/groups/organizations for their own management. By virtue of the jail'd file system being a subset of the host file system, communication is possible between jails and the host (as well as signal delivery, et al), but any such communication should have to be initiated by processes outside the jail, not from within. > > One way to substantially improve jail scalability would be to allow the > > same (read-only) file system to be present in all jails as the root, with > > only jail-local data being modified. You can imagine gratuitously using > > nullfs (if it worked) to do this, and mount per-jail writable fs's for > > appropriatel subdirectories (/etc, /usr/local, /home) with appropriate > > symlinks within the jail. Right now, each jail costs you the size of > > world, and is hard to upgrade if you have any decent number of jails. > > Storing all that stuff in a single tree mapped read-only into jails would > > solve that (you'd probably want two so you could upgrade one, test it, and > > then swap to that for all jails so as to minimize downtime). > > If I wanted to do that. Would it be as easy as building a jail on a > spare partition then mounting it read-only to the correct locations? Right now the device handling prevents multiple read-only mounts of the same partition in multiple places. This is unfortunate, but I understand that Poul-Henning Kemp's changes to the bio/device management will address this, among other things. That said, it would be more efficient to make use of some sort of name space translation (assuming our VFS could do it) as you could allow greater reuse of storage/management resources. I assume the buffer cache would be shared between the two in the multi-mount case, but not the vnodes. That might also be the case in the namespace translation instance, so it may be lose-lose in both situations. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message