Date: Mon, 7 Mar 2005 13:48:26 -0700 From: Chad Leigh -- Shire.Net LLC <chad@shire.net> To: Frank de Bot <freebsd@searchy.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Jail security Message-ID: <fd4c80712ad4a1876bb00c23f1756bc2@shire.net> In-Reply-To: <422C82DE.6040506@searchy.nl> References: <422C7B99.5010504@searchy.net> <20050307161304.M78434@wcborstel.nl> <422C82DE.6040506@searchy.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 7, 2005, at 9:35 AM, Frank de Bot wrote: > Jorn Argelo wrote: >> On Mon, 07 Mar 2005 17:04:41 +0100, Frank de Bot wrote >>> Hi, >>> >>> I've set up a jail. But I don't have any idea how safe a jail is. >>> Often is told chroot and jails can be escaped. How safe is it to >>> give other people user access to a jailed environment? or maybe even >>> root... >> A jailed process cannot leave its jail. Unless some exploit is being >> found in >> jail itself, but that's rather unlikely. A cracker can only mess up >> your jail >> and not your entire host. So if you build 4 jails for Apache, MySQL, >> Squid and >> Postfix for instance, each of those processes will only run in its >> jail and >> cannot interact with another jail or the host. Which is more secure >> then just >> putting everything on your host. >> Another major advantage of jails is that you can experiment at will >> without touching your production enviroment. Just create a jail and >> install apache in >> the other jail. Once you are finished and it works, just amend your >> firewall >> settings and you're ready to go. >> If you're experienced enough I'd encourage you to use them. It can be >> complicated for a newbie, but if you know your way around FreeBSD and >> the >> command line, you should really use jails. >> Jorn. > > > What if an exploit is found, then root should have the greatest chance > to break out of the jail, or not? > Should it be possible to assign root another UID in a jail (this is > pretty unlikely I think), so IF it breaks out it will find hisself > working as a user at the host system :-P I know it is not exhaustive, and other exploits for escaping chroot/jail may come up, but I have tried many o fthe common chroot ones and never had any luck escaping from a jail... Look at it this way -- if you don't use them for protection, they are already on your machine :-) This is an insulating layer. Chad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fd4c80712ad4a1876bb00c23f1756bc2>