Date: Thu, 23 Aug 2001 07:06:43 -0700 From: "Shannon Johnson" <shannon@needhams.com> To: <freebsd-security@freebsd.org> Cc: "Igor Melnichuk" <simplyi@skif.net> Subject: Re: jail & security Message-ID: <00da01c12bdc$d676e480$3303a8c0@needhams.com> References: <004401c12bd5$21918d60$3303a8c0@needhams.com> <002901c12bd9$d7ecc300$45e03ac3@skif.net>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: Igor Melnichuk <simplyi@skif.net> To: <freebsd-security@FreeBSD.ORG> Sent: Thursday, August 23, 2001 6:45 AM Subject: Re: jail & security > > > no chances. It's a very pain jail feature (weakness). :( > > > > I actually disagree. It it possible to limit a users resources within a > > jail. You can use login classes in a jail just as you can outside it. See > > login.conf(5) > > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf > > 100% true and it works fine. But You can't restrict 'root' in case when You > have to delegate this privileges to somebody (to make customization of > apache for instance). Such user can always override 'login.conf' so this is > not 'perfect' solution. > > I prefer 'system' control. > > igor I personally disable the root account in all of my jailed environments (e.g. setting the shell to /sbin/nologin and diabling the password "*") and use the following script to perform customization within the jail http://www.designcurve.net/downloads/os/freebsd/scripts/enter-jail This script assumes that you set up the jail in the form of /jail/192.168.x.x/serivce (e.g. /jail/192.168.3.45/www). In order to use this script you must be in the host environment (outside of the jail). --- Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00da01c12bdc$d676e480$3303a8c0>