From owner-freebsd-questions@FreeBSD.ORG Mon Apr 26 14:44:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC0D116A4CE for ; Mon, 26 Apr 2004 14:44:04 -0700 (PDT) Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2256743D6A for ; Mon, 26 Apr 2004 14:44:03 -0700 (PDT) (envelope-from fw@deneb.enyo.de) Received: (debugging) helo=deneb ip=212.9.189.171 name=deneb.enyo.de Received: from deneb.enyo.de ([212.9.189.171] helo=deneb) by mail.enyo.de with esmtp id 1BIDtR-0002Nd-Ui; Mon, 26 Apr 2004 23:44:01 +0200 Received: from fw by deneb with local (Exim 4.32) id 1BIDtR-0001WQ-Gt; Mon, 26 Apr 2004 23:44:01 +0200 To: antwort@schmalzbauer.de References: <87fzaravaj.fsf@deneb.enyo.de> <200404261342.48970.h@schmalzbauer.de> From: Florian Weimer Date: Mon, 26 Apr 2004 23:44:01 +0200 In-Reply-To: <200404261342.48970.h@schmalzbauer.de> (Harald Schmalzbauer's message of "Mon, 26 Apr 2004 13:42:42 +0200") Message-ID: <87ekqaquse.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: Jail organization X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 21:44:04 -0000 Harald Schmalzbauer writes: >> * Both /usr and /usr/local are shared. >> >> Problem: All software is available in all jails. Some hackery is >> necessary to prevent most of the daemons from starting, and >> setuid/setgid binaries might have issues. > > Use mount_nullfs whenever you need more than the spezialized jail itself was > designed for, eg. when installing a new port > mount_nullfs /hostusr/ports /jailuser/ports. If ports were resstricted to write to a few directories under /usr, I would agree, but this doesn't seem to be the case in practice. > Don't forget in case of a compromised jail the hacker could simply > fill up your filesystem when you use only directories. This is hardly an issue. He could also fill my pipe, and it would cost me lots of money. 8-( -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.