Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 03 Mar 2005 17:42:53 +0000
From:      Chris Hodgins <chodgins@cis.strath.ac.uk>
To:        Ean Kingston <ean@hedron.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Sharing directories with jails
Message-ID:  <42274C9D.4000107@cis.strath.ac.uk>
In-Reply-To: <2939.216.220.59.169.1109865872.squirrel@216.220.59.169>
References:  <4227164D.3050103@cis.strath.ac.uk> <2939.216.220.59.169.1109865872.squirrel@216.220.59.169>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ean Kingston wrote:
>>How dangerous is it to share the ports directory with jails on the
>>system?  I am using the jails to give other access to a freebsd system.
>>  You can assume they are untrusted (hence the jail ;)).
>>
>>Is it enough just to:
>>ln -s /usr/ports /usr/jail/ajail/usr/ports
> 
> 
> That won't work. The jail does a chroot (along with other things) when it
> starts up so the link inside the jail will wind up pointing to itself.

Doh! :)

> 
> The only way I've been able to figure out how to do something like that is
> by running an NFS server outside the jail and then run an NFS client
> inside the jail to get access to the disk space outside the jail via NFS.
> I actually have a separate jail for the NFS server and export everything
> read-only.

Interesting idea.

> 
> Now, I'm sure you've thought of this but I'm going to say it for anyone
> reading the archives. You do know that giving the jailed processes access
> to anything outside the jail will reduce the security advantages of having
> a jail in the first place?

Well I wasn't sure about this...hence the question.

> 
> Besides, why would you provide a jailed process with access to development
> tools? You are just making it much easier for anyone with access to the
> jail to build/install software to help them break out of the jail.
> 
> 
>>Thanks
>>Chris
> 
> 

Ok perhaps I should clarify what my intentions are a little more.  I am 
planning on providing a FreeBSD jail for any member of a geek society I 
am a member of.  When I say they are untrusted, I mean that I won't be 
giving them full root access to my server but I trust them enough not to 
do anything malicious inside a jail.  It is just like a fun place they 
can play and not have to worry to much about breaking things.

How easy is it exactly to break out of a jail if you have access to 
development tools?

Chris

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42274C9D.4000107>