Date: Sat, 10 Sep 2005 17:05:18 +0200 From: "Ruben Bloemgarten" <rubenl@bloemgarten.demon.nl> To: <freebsd-questions@freebsd.org>, <ruben@bloemgarten.demon.nl> Subject: RE: /dev/mem /dev/kmem jails and using netstat -r and snmp Message-ID: <20050910150637.5E3AC43D45@mx1.FreeBSD.org> In-Reply-To: <44mzml3wt7.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Lowell, I absolutely agree with you in regards to jail security, this would effectively break jail security. My main reason for using jails is not security however, but manageability and expandability. By now I've figured out how to make mem and kmem available to a specicic jail. As with all *nix related problems it was painfully simple once understood. I have managed to enable most NMS functionality I want from inside the jail without having to resort to this ruleset. I did want to have the option available for development and testing reasons to be able to differentiate between what I'm doing wrong and what is just an inherent restriction of properly deployed jails. For a fully functional NMS solution running from inside a jail, using very anal access restrictions from the firewall on the mainhost, I'm not sure yet whether or not I'm actually troubled by the security NoNo access to privileged devices generates. Anyway, thanks for your insight. Sometimes all we need is just someone to talk to. By the way I am very interested in what everyone's thoughts are in regards to jail functionality, as in security vs. the VirtualServer aspect and in which scenario one outweighs the other. Regards, Ruben -----Original Message----- From: lowell@be-well.ilk.org [mailto:lowell@be-well.ilk.org] On Behalf Of Lowell Gilbert Sent: September 10, 2005 2:57 PM To: ruben@bloemgarten.demon.nl Cc: freebsd-questions@freebsd.org Subject: Re: /dev/mem /dev/kmem jails and using netstat -r and snmp "Ruben Bloemgarten" <rubenl@bloemgarten.demon.nl> writes: > I seem to be a bit stuck here. I seem to need access to /dev/mem and > /dev/kmem from inside a jail . Specifically to be able to use netstat ?r and > snmp in jailed environments. I?m running FBSD 5.4-RELEASE. Could anyone help > me shed some light on this problem ? Thanks. Making kmem available in a jail seems like it can't be the right answer to anything. Kind of contradicts the point, I would think. I don't see an easy way around this. Furthermore, there are different approaches depending on why you are trying to do this. If you want system statistics inside of a jail for remote monitoring, consider whether that is the best approach; after all, network management *is* a fundamentally privileged operation. One way to do it would be to feed the statistics into the jail from outside of it; this way, the privileged operation is separated from the network-accessible code, and not dependent on it in any way. Good luck. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050910150637.5E3AC43D45>