From owner-freebsd-questions@FreeBSD.ORG Tue Jul 13 18:21:46 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F617106566C for ; Tue, 13 Jul 2010 18:21:46 +0000 (UTC) (envelope-from gnrp@gnrp.in-berlin.de) Received: from einhorn.in-berlin.de (einhorn.in-berlin.de [192.109.42.8]) by mx1.freebsd.org (Postfix) with ESMTP id ED81F8FC0A for ; Tue, 13 Jul 2010 18:21:44 +0000 (UTC) X-Envelope-From: gnrp@gnrp.in-berlin.de X-Envelope-To: Received: from adolfputzen (dhcp118.vr.in-berlin.de [217.197.81.118]) (authenticated bits=0) by einhorn.in-berlin.de (8.13.6/8.13.6/Debian-1) with ESMTP id o6DILghO014827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Tue, 13 Jul 2010 20:21:43 +0200 Date: Tue, 13 Jul 2010 20:21:05 +0200 From: Julian Fagir To: freebsd-questions@freebsd.org Message-ID: <20100713202105.3be41324@adolfputzen> In-Reply-To: References: X-Mailer: Claws Mail 3.7.5 (GTK+ 2.14.7; x86_64-unknown-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang_at_IN-Berlin_e.V. on 192.109.42.8 Subject: Re: Clarification: "Jail" -vs- "Chroot" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2010 18:21:46 -0000 Hi, > 1.) FreeBSD has both "chroot" capability as well as "jail" capability. Yes, it has both of them. You still want to use chroot, also it is kind of 'part' of a jail (technically perhaps it's implemented separately). > 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? In Solaris, you have zones, and there are several projects to do the same thing with Linux (Linux-vserver etc). > 3.) When reading something (book, article, etc.), is there a way to > determine if the author is, in fact, talking about truly a "jail" or > are they really just referring to a "chroot" environment? For example, > I have a book ("Preventing web attacks with Apache") that says: > > "Chroot is short for change root and essentially allows you to run > programs in a protected or jailed environment. The main benefit of a > chroot jail is that the jail will limit the portion of the file system > the daemon can see to the root directory of the jail. Additionally, > since the jail only needs to support Apache, the programs available in > the jail can be extremely limited." Usually, only FreeBSD-specific books will talk about jails, as chroot is the generic Unix-way for that. Anyway, in many cases you can use a jail for the same things a chroot-environment is talked about. In this case, I think he's really talking about a chroot, as he's only talking about the file system, not the network etc. > 4.) Jail is the more secure of the two options? I cannot really answer this, but a jail is the more separated way. So, I would say, a jail is more secure. If the extras of a jail are not needed, it is perhaps more insecure, as there are more points to break into theu system. But, don't rely on my answer, I never looked at the kernel-side of jails the very technical way. > 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd > edition of "Absolute FreeBSD" says: > > "Chrooting is useful for web servers that have multiple clients on one > machine—that is, web servers with many virtual hosts." On the FreeBSD-machines I manage, I use chroot for the services that are not that security-relevant or can easily be separated, i.e. on some distributions you can put your apache or bind easily into a chroot-environment. Also, a chroot-environment can have other targets than a jail, e.g. if you only want to have another file system-visibility instead of a new jail as you do when you have to start with a live-cd into a non-booting system. Sorry for my English. :) Regards, Julian