From owner-freebsd-security Thu Aug 23 7: 0:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.needhams.com (mail.needhams.com [209.63.39.71]) by hub.freebsd.org (Postfix) with SMTP id 4768037B40A for ; Thu, 23 Aug 2001 07:00:44 -0700 (PDT) (envelope-from shannon@needhams.com) Received: (qmail 14022 invoked from network); 23 Aug 2001 14:00:44 -0000 Received: from unknown (HELO shannon) (192.168.3.51) by mail.needhams.com with SMTP; 23 Aug 2001 14:00:44 -0000 Message-ID: <00da01c12bdc$d676e480$3303a8c0@needhams.com> From: "Shannon Johnson" To: Cc: "Igor Melnichuk" References: <004401c12bd5$21918d60$3303a8c0@needhams.com> <002901c12bd9$d7ecc300$45e03ac3@skif.net> Subject: Re: jail & security Date: Thu, 23 Aug 2001 07:06:43 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: Igor Melnichuk To: Sent: Thursday, August 23, 2001 6:45 AM Subject: Re: jail & security > > > no chances. It's a very pain jail feature (weakness). :( > > > > I actually disagree. It it possible to limit a users resources within a > > jail. You can use login classes in a jail just as you can outside it. See > > login.conf(5) > > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf > > 100% true and it works fine. But You can't restrict 'root' in case when You > have to delegate this privileges to somebody (to make customization of > apache for instance). Such user can always override 'login.conf' so this is > not 'perfect' solution. > > I prefer 'system' control. > > igor I personally disable the root account in all of my jailed environments (e.g. setting the shell to /sbin/nologin and diabling the password "*") and use the following script to perform customization within the jail http://www.designcurve.net/downloads/os/freebsd/scripts/enter-jail This script assumes that you set up the jail in the form of /jail/192.168.x.x/serivce (e.g. /jail/192.168.3.45/www). In order to use this script you must be in the host environment (outside of the jail). --- Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message