From owner-freebsd-questions@FreeBSD.ORG Thu Mar 3 17:37:47 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3152B16A4CE for ; Thu, 3 Mar 2005 17:37:47 +0000 (GMT) Received: from smtphost.cis.strath.ac.uk (smtphost.cis.strath.ac.uk [130.159.196.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 722F343D2F for ; Thu, 3 Mar 2005 17:37:46 +0000 (GMT) (envelope-from chodgins@cis.strath.ac.uk) Received: from [192.168.0.4] (chrishodgins.force9.co.uk [84.92.20.141]) j23HbZGD029096; Thu, 3 Mar 2005 17:37:36 GMT Message-ID: <42274C9D.4000107@cis.strath.ac.uk> Date: Thu, 03 Mar 2005 17:42:53 +0000 From: Chris Hodgins User-Agent: Mozilla Thunderbird 1.0 (X11/20050204) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ean Kingston References: <4227164D.3050103@cis.strath.ac.uk> <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> In-Reply-To: <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CIS-MailScanner-Information: Please contact support@cis.strath.ac.uk for more information X-CIS-MailScanner: Found to be clean X-CIS-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 6) X-CIS-MailScanner-From: chodgins@cis.strath.ac.uk cc: freebsd-questions@freebsd.org Subject: Re: Sharing directories with jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 17:37:47 -0000 Ean Kingston wrote: >>How dangerous is it to share the ports directory with jails on the >>system? I am using the jails to give other access to a freebsd system. >> You can assume they are untrusted (hence the jail ;)). >> >>Is it enough just to: >>ln -s /usr/ports /usr/jail/ajail/usr/ports > > > That won't work. The jail does a chroot (along with other things) when it > starts up so the link inside the jail will wind up pointing to itself. Doh! :) > > The only way I've been able to figure out how to do something like that is > by running an NFS server outside the jail and then run an NFS client > inside the jail to get access to the disk space outside the jail via NFS. > I actually have a separate jail for the NFS server and export everything > read-only. Interesting idea. > > Now, I'm sure you've thought of this but I'm going to say it for anyone > reading the archives. You do know that giving the jailed processes access > to anything outside the jail will reduce the security advantages of having > a jail in the first place? Well I wasn't sure about this...hence the question. > > Besides, why would you provide a jailed process with access to development > tools? You are just making it much easier for anyone with access to the > jail to build/install software to help them break out of the jail. > > >>Thanks >>Chris > > Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? Chris