From owner-freebsd-security  Thu Feb 14 20: 6:52 2002
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
	by hub.freebsd.org (Postfix) with ESMTP id EF0D637B41A
	for <freebsd-security@freebsd.org>; Thu, 14 Feb 2002 20:06:49 -0800 (PST)
Received: from there (dhcp14.int [192.168.5.14])
	by w2xo.pgh.pa.us (8.11.6/8.11.3) with SMTP id g1F46kl64701;
	Fri, 15 Feb 2002 04:06:46 GMT
	(envelope-from durham@jcdurham.com)
Message-Id: <200202150406.g1F46kl64701@w2xo.pgh.pa.us>
Content-Type: text/plain;
  charset="iso-8859-1"
From: Jim Durham <durham@jcdurham.com>
Reply-To: durham@jcdurham.com
To: Chris Faulhaber <jedgar@fxp.org>,
	Jim Durham <durham@w2xo.pgh.pa.us>
Subject: Re: Jail question
Date: Thu, 14 Feb 2002 23:06:40 -0500
X-Mailer: KMail [version 1.3]
Cc: freebsd-security@freebsd.org
References: <Pine.BSF.4.21.0202141430160.25249-100000@w2xo.pgh.pa.us> <20020215000121.GA48563@peitho.fxp.org>
In-Reply-To: <20020215000121.GA48563@peitho.fxp.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thursday 14 February 2002 07:01 pm, Chris Faulhaber wrote:
> On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote:
> > I just recently discovered jail and started reading the
> > material by phk on how it works.
> >
> > Ok, you can have a general over-all supervisory root account and
> > you can have a root account in each jail.
> >
> > Let's say you make a jail for each department in a company.
> > Suppose you have a situation where you have certain users who
> > are not capable of system administration, but, they are supervisors
> > who need to be able to read and modify files in all the jails, but
> > not modify system config files, etc owned by the jail root account.
> >
> > How could you accomplish this?
>
> You can wait until 5.0 is released which has support for filesystem
> ACLs allowing finer-grained access control for files :)

That sounds like a good answer. I would assume that one could just
make everything that is not actually a part of the "real system" part
of a jail and apply the ACLs to limit access, thereby protecting the
kernel, /etc, /var and so forth from users or intruders?

-Jim


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message