From owner-freebsd-security Thu Aug 30 14:30:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 904D537B401 for ; Thu, 30 Aug 2001 14:30:44 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id WAA22056; Thu, 30 Aug 2001 22:28:06 +0100 Date: Thu, 30 Aug 2001 22:28:06 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: Alfred Perlstein Cc: Ronan Lucio , security@FreeBSD.ORG Subject: Re: Jail question In-Reply-To: <20010830152738.F81307@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 30 Aug 2001, Alfred Perlstein wrote: > > I=B4m a little mess about it >=20 > This is the wrong list to post such questions, try freebsd-questions. Peronsally, I think this was the correct list for the question, it's just the Ronan has not understood the jail concept, which hopefully, I will be able to help with now. A jail is a kind of virtual machine that can be created under FreeBSD. It is not a *complete* virtual machine, like VMWare is, merely a set of processes and permissions that are completely unconnected to those outside that jail. Note that "outside that jail" can mean both on the rest of the machine, and in other jails on the same machine. It is similar chroot, but far stronger, imposing more restrictions on what the proccesses inside the jail can affect on the machine, and what they can tell about the machine. The purpose is to separate things as completely as possible. There is a large benefit to be gained by putting the mail daemon into a jail. You will make the rest of the Operating System much harder to break into, even if the mail daemon is broken into. As I said, this is just my opinion. I do not run a mail server of any significant size, nor do I claim to be a security or jail expert. The choice of whether to use jail or not is up to you. People obsessed with security would do it without thinking. People not concerned at all would not even think about it. You have to decide what you are prepared to do. Personally, I would advise trying it at least, on a test machine, just so that you know how to do it later, even if you then decide it is not worth doing to the production mail server. If I ran a production mail server, I would put the mail daemon in a jail. For general questions, about setting up jail, rather than the security implications of jail, I would agree that questions@freebsd.org is a better list, but for question about the security of jail, then this list if the one to choose. One more disclaimer - I do not claim to be a jail expert, what I have set up is merely my understanding of jail. I could be wrong, and if I am, I hope to be corrected on the list, before you you have taken any bad decisions based on what I have said. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message