From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 07:50:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0713116A4CE for ; Tue, 21 Dec 2004 07:50:32 +0000 (GMT) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC81243D1D for ; Tue, 21 Dec 2004 07:50:31 +0000 (GMT) (envelope-from mkenyeres@konvergencia.hu) Received: from [127.0.0.25] (helo=localhost) by konvergencia.hu with esmtp (Exim 4.10) id 1CgerM-000K63-00 for freebsd-security@freebsd.org; Tue, 21 Dec 2004 07:55:08 +0000 Received: from konvergencia.hu ([127.0.0.25]) by localhost (kavegep.konvergencia.hu [127.0.0.25]) (amavisd-new, port 10024) with ESMTP id 75357-05 for ; Tue, 21 Dec 2004 08:55:07 +0100 (CET) Received: from 35.144-183-adsl-pool.axelero.hu ([81.183.144.35]) by konvergencia.hu with asmtp (TLSv1:RC4-MD5:128) (Exim 4.10) id 1CgerL-000K5y-00 for freebsd-security@freebsd.org; Tue, 21 Dec 2004 07:55:07 +0000 From: Marton Kenyeres Organization: KVG Konvergencia Kft. To: freebsd-security@freebsd.org Date: Tue, 21 Dec 2004 08:50:25 +0100 User-Agent: KMail/1.7 References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220221928.GA2698@sourcefire.com> <6.2.0.14.2.20041220191915.0531e798@localhost> In-Reply-To: <6.2.0.14.2.20041220191915.0531e798@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412210850.25244.mkenyeres@konvergencia.hu> X-Virus-Scanned: by amavisd-new at konvergencia.hu Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 07:50:32 -0000 On Tuesday 21 December 2004 03:30, Brett Glass wrote: > At 03:19 PM 12/20/2004, Nigel Houghton wrote: > >Take a look at the Jail project, you'll find it here... > > > > http://www.jmcresearch.com/projects/jail/ > > > >..and in ports/sysutils/ along with some other jail tools, it may > >provide some of the features you are looking for. > > Looks useful. (Shame it's GPLed.) In any case, it seems to me that > creation of a jail the way this tool does it (and the way most people > have to do it in general) requires a lot of redundant copies of > files. Wouldn't it be neat if there were a type of link (not quite > soft, not quite hard; call it "firm") that would let you link to the > current master copies of executables (rather than copying them) but > not let the inmates out of their jails? Hard links have the > disadvantage that they're broken when you upgrade an executable; soft > links can't be used because, well, you're in a jail. The type of link > I have in mind would be symbolic but resolved by the system behind > the scenes; from inside the jail it wouldn't look like a link. > > --Brett This can be done with nullfs, unionfs or nfs over the loopback interface. BTW, hard drives are quite cheap nowdays, so the main problem with redundant copies is not the space they waste, it's that they are hard to manage. IMHO `firm` links wont help you a bit. m.