From owner-freebsd-isp Wed Jul 18 19: 3:37 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.i-logic.ch (mail.pwh.ch [194.38.160.243]) by hub.freebsd.org (Postfix) with ESMTP id C445C37B403 for ; Wed, 18 Jul 2001 19:03:28 -0700 (PDT) (envelope-from ll@i-logic.ch) Received: from toto2 (pop-zh-20-1-dialup-140.freesurf.ch [194.230.178.140]) by mail.i-logic.ch (Postfix) with ESMTP id 4BA2BAC97 for ; Thu, 19 Jul 2001 04:03:26 +0200 (CEST) From: ll@i-logic.ch To: freebsd-isp@freebsd.org Date: Thu, 19 Jul 2001 04:04:29 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Various admin problems and jails Message-ID: <3B565C4D.12771.7839A78@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I'm a new FreeBSD admin and I have a little problem in making jails like I exactly want. I think to run all the services of the machine in jail. I will make a slice for the base system, and a slice for each jail (I will only have a defined little number of jails). Like that: Slice 1 [base system] : s1a / ro nosuid s1b SWAP s1c /usr ro s1d /usr/local nosuid s1e /usr/home noexec,nosuid s1f /tmp noexec,nosuid s1g /var noexec,nosuid Slice 2 [Jail 1]: s2a /jail1/ ro nosuid s2b /jail1/usr ro s2c /jail1/usr/local nosuid s2d /jail1/usr/home noexec,nosuid s2e /jail1/tmp noexec,nosuid s2f /jail1/var noexec,nosuid Slice 3 [Jail 2]: ... ... I will only admin this computer remotely (It will be very far from me). => Except if there is a very important remotely exploitable hole in the kernel, I will never change the base system or the kernel, all my updates will only apply to the jails. My system will be by default in securelevel 2. My problem with jail is the folowing: When you compile your jail, some files are set with the schg flag, so I can no more delete or update theses files (=> and the jail) remotely (yes, I can change the secure level, reboot, modify them, change rc.conf and reboot, but I don't like a lot remote reboot...). => I search a manner to install files of a jail without than the install put theses flags. There is no security problem, because like you can see upper, jail will be partitionned and the partition that normally hold the schg files will be mounted read only after the compilation. My other question it's if I should CVS the RELENG_4_3 or the RELENG_4. I precise that's only for recompiling Jails, the base system, and the kernel will not be recompiled remotely. There is a risk of incompatiblity between a 4.3 Release kernel and some binaries compiled for a jail usind the 4 stable branch ? Do you think the RELENG_4_3 branch will continue to have security update how long ? I have see that with FreeBSD, the security patch are more or less only for the last release, if the RELENG_4_3 don't evolve when the 4.4 Release appear, I should preferably CVS the the stable branch. Thanks in advance, excuse me for my shit english :-) Leo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message