Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Mar 2005 13:16:49 -0500
From:      Anish Mistry <mistry.7@osu.edu>
To:        freebsd-questions@freebsd.org
Cc:        Chris Hodgins <chodgins@cis.strath.ac.uk>
Subject:   Re: Sharing directories with jails
Message-ID:  <200503031316.56083.mistry.7@osu.edu>
In-Reply-To: <42274C9D.4000107@cis.strath.ac.uk>
References:  <4227164D.3050103@cis.strath.ac.uk> <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> <42274C9D.4000107@cis.strath.ac.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2607500.p0zsMTOczU
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote:
> Ean Kingston wrote:
> >>How dangerous is it to share the ports directory with jails on
> >> the system?  I am using the jails to give other access to a
> >> freebsd system. You can assume they are untrusted (hence the
> >> jail ;)).
> >>
> >>Is it enough just to:
> >>ln -s /usr/ports /usr/jail/ajail/usr/ports
> >
> > That won't work. The jail does a chroot (along with other things)
> > when it starts up so the link inside the jail will wind up
> > pointing to itself.
>
> Doh! :)
>
> > The only way I've been able to figure out how to do something
> > like that is by running an NFS server outside the jail and then
> > run an NFS client inside the jail to get access to the disk space
> > outside the jail via NFS. I actually have a separate jail for the
> > NFS server and export everything read-only.
>
> Interesting idea.
>
> > Now, I'm sure you've thought of this but I'm going to say it for
> > anyone reading the archives. You do know that giving the jailed
> > processes access to anything outside the jail will reduce the
> > security advantages of having a jail in the first place?
>
> Well I wasn't sure about this...hence the question.
>
> > Besides, why would you provide a jailed process with access to
> > development tools? You are just making it much easier for anyone
> > with access to the jail to build/install software to help them
> > break out of the jail.
> >
> >>Thanks
> >>Chris
>
> Ok perhaps I should clarify what my intentions are a little more.=20
> I am planning on providing a FreeBSD jail for any member of a geek
> society I am a member of.  When I say they are untrusted, I mean
> that I won't be giving them full root access to my server but I
> trust them enough not to do anything malicious inside a jail.  It
> is just like a fun place they can play and not have to worry to
> much about breaking things.
>
> How easy is it exactly to break out of a jail if you have access to
> development tools?
>

http://www.securiteam.com/unixfocus/5WP031535U.html

If you use securelevels you can a sigificantly improve security.

=2D-=20
Anish Mistry

--nextPart2607500.p0zsMTOczU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCJ1SYxqA5ziudZT0RAt8ZAKCyB1lEOeMV7NTc9fneq37DTClz/wCgrKH5
ybxWwJpd+FbnjyyRrolo1UM=
=NKxO
-----END PGP SIGNATURE-----

--nextPart2607500.p0zsMTOczU--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503031316.56083.mistry.7>