From owner-svn-doc-head@FreeBSD.ORG Wed Apr 9 20:11:05 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A192A6CA; Wed, 9 Apr 2014 20:11:05 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8DC03195B; Wed, 9 Apr 2014 20:11:05 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s39KB53N014536; Wed, 9 Apr 2014 20:11:05 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s39KB5YI014535; Wed, 9 Apr 2014 20:11:05 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404092011.s39KB5YI014535@svn.freebsd.org> From: Dru Lavigne Date: Wed, 9 Apr 2014 20:11:05 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44513 - head/en_US.ISO8859-1/books/handbook/jails X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 20:11:05 -0000 Author: dru Date: Wed Apr 9 20:11:05 2014 New Revision: 44513 URL: http://svnweb.freebsd.org/changeset/doc/44513 Log: Integrate later Introduction into the Synopsis of the Jails chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Wed Apr 9 20:03:11 2014 (r44512) +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.xml Wed Apr 9 20:11:05 2014 (r44513) @@ -18,34 +18,90 @@ Synopsis - This chapter will provide an explanation of what &os; jails - are and how to use them. Jails, sometimes referred to as an - enhanced replacement of - chroot environments, are a very powerful - tool for system administrators, but their basic usage can also - be useful for advanced users. + Since system administration is a difficult + task, many tools have been developed to make life easier for + the administrator. These tools often enhance + the way systems are installed, configured, and + maintained. One of the tools which can be used to enhance the security + of a &os; system is jails. Jails have + been available since &os; 4.X and continue to be + enhanced in their + usefulness, performance, reliability, and security. - - Jails are a powerful tool, but they are not a security - panacea. It is particularly important to note that while it - is not possible for a jailed process to break out on its own, - there are several ways in which an unprivileged user outside - the jail can cooperate with a privileged user inside the jail - and thereby obtain elevated privileges in the host + Jails build upon the &man.chroot.2; concept, which is used to + change the root directory of a set of processes, creating a + safe environment, separate from the rest of the system. + Processes created in the chrooted environment can not access + files or resources outside of it. For that reason, + compromising a service running in a chrooted environment + should not allow the attacker to compromise the entire system. + However, a chroot has several limitations. It is suited to easy tasks which do not + require much flexibility or complex, advanced features. Over time + many ways have + been found to escape from a chrooted environment, making it + a less than ideal solution for + securing services. + + Jails improve on the concept of the traditional + chroot environment in several ways. In a traditional + chroot environment, processes are only limited in the + part of the file system they can access. The rest of the + system resources, system users, running + processes, and the networking subsystem are shared by the + chrooted processes and the processes of the host system. + Jails expand this model by virtualizing access to the + file system, the set of users, and the networking + subsystem. More + fine-grained controls are available for tuning the + access of a jailed environment. + + A jail is characterized by four elements: + + + + A directory subtree: the starting point from + which a jail is entered. Once inside the jail, a process + is not permitted to escape outside of this subtree. + + + + A hostname: which will be used + by the jail. + + + + An IP address: which is + assigned to the jail. The IP address of a jail is + often an alias address for an existing network + interface. + + + + A command: the path name of an executable to + run inside the jail. The path is relative to the + root directory of the jail environment. + + + + Jails have their own set of users + and their own root account which + are limited + to the jail environment. + The root + account of a jail is not allowed to perform operations + to the system outside of the associated jail environment. - Most of these attacks can be mitigated by ensuring that - the jail root is not accessible to unprivileged users in the - host environment. Regardless, as a general rule, untrusted - users with privileged access to a jail should not be given - access to the host environment. - + This chapter provides an overview of jail terminology + are how to use &os; jails. Jails are a powerful + tool for system administrators, but their basic usage can also + be useful for advanced users. After reading this chapter, you will know: - What a jail is, and what purpose it may serve in &os; + What a jail is and what purpose it may serve in &os; installations. @@ -59,25 +115,21 @@ - Other sources of useful information about jails are: - - - - The &man.jail.8; manual page. This is the full - reference of the jail utility — the - administrative tool which can be used in &os; to start, - stop, and control &os; jails. - + + Jails are a powerful tool, but they are not a security + panacea. While it + is not possible for a jailed process to break out on its own, + there are several ways in which an unprivileged user outside + the jail can cooperate with a privileged user inside the jail + to obtain elevated privileges in the host + environment. - - The mailing lists and their archives. The archives of - the &a.questions; and other mailing lists hosted by the - &a.mailman.lists; already contain a wealth of material for - jails. It should always be engaging to search the archives, - or post a new question to the &a.questions.name; mailing - list. - - + Most of these attacks can be mitigated by ensuring that + the jail root is not accessible to unprivileged users in the + host environment. As a general rule, untrusted + users with privileged access to a jail should not be given + access to the host environment. + @@ -141,111 +193,6 @@ - - Introduction - - Since system administration is a difficult and perplexing - task, many powerful tools were developed to make life easier for - the administrator. These tools mostly provide enhancements of - some sort to the way systems are installed, configured and - maintained. Part of the tasks which an administrator is - expected to do is to properly configure the security of a - system, so that it can continue serving its real purpose, - without allowing security violations. - - One of the tools which can be used to enhance the security - of a &os; system are jails. Jails were - introduced in &os; 4.X by &a.phk.email;, but were greatly - improved in &os; 5.X to make them a powerful and flexible - subsystem. Their development still goes on, enhancing their - usefulness, performance, reliability, and security. - - - What is a Jail - - BSD-like operating systems have had &man.chroot.2; since - the time of 4.2BSD. The &man.chroot.8; utility can be used to - change the root directory of a set of processes, creating a - safe environment, separate from the rest of the system. - Processes created in the chrooted environment can not access - files or resources outside of it. For that reason, - compromising a service running in a chrooted environment - should not allow the attacker to compromise the entire system. - The &man.chroot.8; utility is good for easy tasks which do not - require much flexibility or complex, advanced features. Since - the inception of the chroot concept, however, many ways have - been found to escape from a chrooted environment and, although - they have been fixed in modern versions of the &os; kernel, it - was clear that &man.chroot.2; was not the ideal solution for - securing services. A new subsystem had to be - implemented. - - This is one of the main reasons why - jails were developed. - - Jails improve on the concept of the traditional - &man.chroot.2; environment in several ways. In a traditional - &man.chroot.2; environment, processes are only limited in the - part of the file system they can access. The rest of the - system resources (like the set of system users, the running - processes, or the networking subsystem) are shared by the - chrooted processes and the processes of the host system. - Jails expand this model by virtualizing not only access to the - file system, but also the set of users, the networking - subsystem of the &os; kernel and a few other things. A more - complete set of fine-grained controls available for tuning the - access of a jailed environment is described in - . - - A jail is characterized by four elements: - - - - A directory subtree — the starting point from - which a jail is entered. Once inside the jail, a process - is not permitted to escape outside of this subtree. - Traditional security issues which plagued the original - &man.chroot.2; design will not affect &os; jails. - - - - A hostname — the hostname which will be used - within the jail. Jails are mainly used for hosting - network services, therefore having a descriptive hostname - for each jail can really help the system - administrator. - - - - An IP address — this will be - assigned to the jail and cannot be changed in any way - during the jail's life span. The IP address of a jail is - usually an alias address for an existing network - interface, but this is not strictly necessary. - - - - A command — the path name of an executable to - run inside the jail. The path is relative to the - root directory of the jail environment. - - - - Apart from these, jails can have their own set of users - and their own root user. Naturally, the - powers of the root user are limited - within the jail environment and, from the point of view of the - host system, the jail root user is not an - omnipotent user. In addition, the root - user of a jail is not allowed to perform critical operations - to the system outside of the associated &man.jail.8; - environment. More information about capabilities and - restrictions of the root user will be - discussed in - below. - - - Creating and Controlling Jails @@ -322,7 +269,7 @@ Once a jail is installed, it can be started by using the &man.jail.8; utility. The &man.jail.8; utility takes four mandatory arguments which are described in the - . Other arguments may be specified + . Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The argument