Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Aug 2001 06:11:32 -0700
From:      "Shannon Johnson" <shannon@designcurve.net>
To:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: jail & security
Message-ID:  <004401c12bd5$21918d60$3303a8c0@needhams.com>

next in thread | raw e-mail | index | archive | help
> On Thu, 23 Aug 2001, Igor Melnichuk wrote:

> no chances. It's a very pain jail feature (weakness). :(

I actually disagree. It it possible to limit a users resources within a
jail. You can use login classes in a jail just as you can outside it.  See
login.conf(5)
www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf

Setting up a jail actually affords allot more security than if you were to
contain all services running in the base system. By using a jail, you can
limit users resources, strip all potentially destructive binaries (e.g.
compilers, suid bin's that are not necessary, etc.), and bind all services
to a local IP separate from the host. In addition to this you can now set up
more restrictive firewall rules that prevent any user, or compromised user
from using any ports such as ftp, ssh/sftp, etc.

I have used it extensively both at work and home and am very impressed with
both the security and flexibility of a FreeBSD jail. As with all things in
life, nothing is a 100% guarantee, however, by adding more layers, you can
increase the time it takes to compromise/damage a system.

On a personal note the man page for jail
www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=jail
recommends that you mount a proc file system within the jailed environment.
I personally disagree with this and have not mounted a proc file system
within the base system or the jailed environment. I know that it may break
some binaries (e.g. Linux), however, please make sure that if you are
running a 4.2 and 3.x system, make sure that you have the patch for the
procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html


Shannon


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004401c12bd5$21918d60$3303a8c0>