From owner-freebsd-security Thu Aug 23 6: 5:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from designcurve.net (cc131689-a.chmchl1.ca.home.com [65.12.101.48]) by hub.freebsd.org (Postfix) with SMTP id 33C9037B406 for ; Thu, 23 Aug 2001 06:05:38 -0700 (PDT) (envelope-from shannon@designcurve.net) Received: (qmail 20503 invoked from network); 23 Aug 2001 13:05:17 -0000 Received: from mail.needhams.com (HELO shannon) (209.63.39.71) by 192.168.10.25 with SMTP; 23 Aug 2001 13:05:17 -0000 Message-ID: <004401c12bd5$21918d60$3303a8c0@needhams.com> From: "Shannon Johnson" To: Subject: Re: jail & security Date: Thu, 23 Aug 2001 06:11:32 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, 23 Aug 2001, Igor Melnichuk wrote: > no chances. It's a very pain jail feature (weakness). :( I actually disagree. It it possible to limit a users resources within a jail. You can use login classes in a jail just as you can outside it. See login.conf(5) www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf Setting up a jail actually affords allot more security than if you were to contain all services running in the base system. By using a jail, you can limit users resources, strip all potentially destructive binaries (e.g. compilers, suid bin's that are not necessary, etc.), and bind all services to a local IP separate from the host. In addition to this you can now set up more restrictive firewall rules that prevent any user, or compromised user from using any ports such as ftp, ssh/sftp, etc. I have used it extensively both at work and home and am very impressed with both the security and flexibility of a FreeBSD jail. As with all things in life, nothing is a 100% guarantee, however, by adding more layers, you can increase the time it takes to compromise/damage a system. On a personal note the man page for jail www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=jail recommends that you mount a proc file system within the jailed environment. I personally disagree with this and have not mounted a proc file system within the base system or the jailed environment. I know that it may break some binaries (e.g. Linux), however, please make sure that if you are running a 4.2 and 3.x system, make sure that you have the patch for the procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message