From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 06:26:53 2008 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 666BC106564A for ; Mon, 22 Sep 2008 06:26:53 +0000 (UTC) (envelope-from fmatthew5876@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id E9DAF8FC14 for ; Mon, 22 Sep 2008 06:26:52 +0000 (UTC) (envelope-from fmatthew5876@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so1232343fgb.35 for ; Sun, 21 Sep 2008 23:26:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=MrVNZU1bsLi7GqVt185QPHclHeic76QuRvixDSzOhrw=; b=rh/mWZl4wEPvbyRiM1+M9KW4ZhuD2Bd3/ppqIJ0ElNmaAhwVIcDInLEUvQWYEXuIag 9z0KnNNTdBe42P5cQ/d02IuN07AsK0UaAKn+Nrp/OMVV7bJ/w2uGvXYSxvBItsDqduxB 7nkhSWSzoLQvQTuGvYjJUgItHjFhclVuS4SAU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=ioNfRde3mdqJGgHUBbo2wHdSz88PaJ2KgzX0ihv8Sh8+qmG5d9tsflCZv6ZE4ussdj Gw/sw3lgFFTVJyYhQMU6eaJW7zPSSEanGmVI/yb7H5HiO+At8U2Dy3iVCXh7b9xKpo8X 0Lxk0SPPQH8lABoIqrDVHhE00QTkFrwlCbnE0= Received: by 10.180.249.4 with SMTP id w4mr1972331bkh.79.1222063296374; Sun, 21 Sep 2008 23:01:36 -0700 (PDT) Received: by 10.180.210.10 with HTTP; Sun, 21 Sep 2008 23:01:36 -0700 (PDT) Message-ID: <3eca10930809212301t207b6d08p26eb27294350227a@mail.gmail.com> Date: Mon, 22 Sep 2008 02:01:36 -0400 From: "Matt Fioravante" To: freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Shared /usr in jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 06:26:53 -0000 I want to implement a number of jails for different services on a single box. Since /usr is the same everywhere I'd like to just mount one copy of it read-only to all the jails and then have them each have their own /usr/local Someone recommended keeping the main system's /usr separate. This would mean building a /usr for the main system and then making a copy of it to be shared by the jails. Aesthetics and philosophy aside, are there any real security holes in just using the systems /usr everywhere if it is mounted read only in the jails? THis seems to be the approach used by solaris zones. Thanks!