Date: Thu, 23 Aug 2001 06:11:32 -0700 From: "Shannon Johnson" <shannon@designcurve.net> To: <freebsd-security@FreeBSD.ORG> Subject: Re: jail & security Message-ID: <004401c12bd5$21918d60$3303a8c0@needhams.com>
next in thread | raw e-mail | index | archive | help
> On Thu, 23 Aug 2001, Igor Melnichuk wrote: > no chances. It's a very pain jail feature (weakness). :( I actually disagree. It it possible to limit a users resources within a jail. You can use login classes in a jail just as you can outside it. See login.conf(5) www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf Setting up a jail actually affords allot more security than if you were to contain all services running in the base system. By using a jail, you can limit users resources, strip all potentially destructive binaries (e.g. compilers, suid bin's that are not necessary, etc.), and bind all services to a local IP separate from the host. In addition to this you can now set up more restrictive firewall rules that prevent any user, or compromised user from using any ports such as ftp, ssh/sftp, etc. I have used it extensively both at work and home and am very impressed with both the security and flexibility of a FreeBSD jail. As with all things in life, nothing is a 100% guarantee, however, by adding more layers, you can increase the time it takes to compromise/damage a system. On a personal note the man page for jail www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=jail recommends that you mount a proc file system within the jailed environment. I personally disagree with this and have not mounted a proc file system within the base system or the jailed environment. I know that it may break some binaries (e.g. Linux), however, please make sure that if you are running a 4.2 and 3.x system, make sure that you have the patch for the procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004401c12bd5$21918d60$3303a8c0>