Date: Mon, 26 Apr 2004 23:44:01 +0200 From: Florian Weimer <fw@deneb.enyo.de> To: antwort@schmalzbauer.de Cc: freebsd-questions@freebsd.org Subject: Re: Jail organization Message-ID: <87ekqaquse.fsf@deneb.enyo.de> In-Reply-To: <200404261342.48970.h@schmalzbauer.de> (Harald Schmalzbauer's message of "Mon, 26 Apr 2004 13:42:42 %2B0200") References: <87fzaravaj.fsf@deneb.enyo.de> <200404261342.48970.h@schmalzbauer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Harald Schmalzbauer <h@schmalzbauer.de> writes: >> * Both /usr and /usr/local are shared. >> >> Problem: All software is available in all jails. Some hackery is >> necessary to prevent most of the daemons from starting, and >> setuid/setgid binaries might have issues. > > Use mount_nullfs whenever you need more than the spezialized jail itself was > designed for, eg. when installing a new port > mount_nullfs /hostusr/ports /jailuser/ports. If ports were resstricted to write to a few directories under /usr, I would agree, but this doesn't seem to be the case in practice. > Don't forget in case of a compromised jail the hacker could simply > fill up your filesystem when you use only directories. This is hardly an issue. He could also fill my pipe, and it would cost me lots of money. 8-( -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87ekqaquse.fsf>