From owner-freebsd-questions@FreeBSD.ORG Fri Mar 4 15:51:46 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 247CF16A4CE for ; Fri, 4 Mar 2005 15:51:46 +0000 (GMT) Received: from crumpet.united-ware.com (ddsl-66-42-172-210.fuse.net [66.42.172.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C90243D31 for ; Fri, 4 Mar 2005 15:51:45 +0000 (GMT) (envelope-from mistry.7@osu.edu) Received: from [192.168.1.100] (adsl-68-252-59-28.dsl.wotnoh.ameritech.net [68.252.59.28]) (authenticated bits=0)j24FNQlu015095 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 4 Mar 2005 10:23:27 -0500 (EST) (envelope-from mistry.7@osu.edu) From: Anish Mistry To: virenp@mail.utexas.edu Date: Fri, 4 Mar 2005 10:55:35 -0500 User-Agent: KMail/1.7 References: <4227164D.3050103@cis.strath.ac.uk> <200503031815.04158.mistry.7@osu.edu> <32824.146.6.178.5.1109949865.squirrel@mail.cm.utexas.edu> In-Reply-To: <32824.146.6.178.5.1109949865.squirrel@mail.cm.utexas.edu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart30849119.yF9PQ90Oss"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503041055.56317.mistry.7@osu.edu> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on crumpet.united-ware.com cc: freebsd-questions@freebsd.org Subject: Re: Sharing directories with jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 15:51:46 -0000 --nextPart30849119.yF9PQ90Oss Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 04 March 2005 10:24 am, Viren Patel wrote: > > On Thursday 03 March 2005 05:23 pm, Ean Kingston wrote: > >> > On Thursday 03 March 2005 12:42 pm, Chris Hodgins > >> > >> wrote: > >> > >> [cut original question and answer] > >> > >> >> Ok perhaps I should clarify what my intentions are a > >> > >> little > >> > >> >> more. I am planning on providing a FreeBSD jail for > >> > >> any member > >> > >> >> of a geek society I am a member of. When I say they > >> > >> are > >> > >> >> untrusted, I mean that I won't be giving them full > >> > >> root access > >> > >> >> to my server but I trust them enough not to do > >> > >> anything > >> > >> >> malicious inside a jail. It is just like a fun place > >> > >> they can > >> > >> >> play and not have to worry to much about breaking > >> > >> things. > >> > >> >> How easy is it exactly to break out of a jail if you > >> > >> have access > >> > >> >> to development tools? > >> > > >> > http://www.securiteam.com/unixfocus/5WP031535U.html > >> > >> How current is this? The article appears to be dated > >> 2001. Are > >> there still buffer-overflow issues with /proc? > > > > 5.3 and later no longer need proc and it's not mounted by > > default. > > > >> > If you use securelevels you can a sigificantly improve > >> > >> security. > > > > -- > > Anish Mistry > > The jail manpage instructs to mount proc when starting a > jail and the /etc/rc.d/jail scripts mounts both devfs and > procfs. Are you saying this is not needed and if so why > and how to disable? Thanks. > The man page is bit out of date and needs to updated. The jail script=20 doesn't mount either dev or proc by default, and there should be no=20 reason to mount /proc under normal conditions. For your jail named=20 jailname in rc.conf add the following to automatically mount devfs=20 with the default jail ruleset: jail_jailname_devfs_enable=3D"YES" jail_jailname_devfs_ruleset=3D"devfsrules_jail" =2D-=20 Anish Mistry --nextPart30849119.yF9PQ90Oss Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCKIUMxqA5ziudZT0RAunnAKCT9Ne90QT7LrzJLrYSkH+5QcZ+ZgCfcF2D F6PGKfZGX97WjB971+Wdudk= =wBIl -----END PGP SIGNATURE----- --nextPart30849119.yF9PQ90Oss--