Date: Sun, 26 Sep 1999 15:51:54 -0500 From: TrouBle <trouble@hackfurby.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Alexander Bezroutchko <abb@zenon.net>, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: about jail Message-ID: <37EE876A.C55AC0E0@hackfurby.com> References: <11744.938266471@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
there is a simplistic way to create chrooted/jailed virtual servers for many clients domains... without getting into the nasty of bsd code.... i do it daily with one small program.. and have all services available to many virtual customers/domains on a box. that to the customer looks like 1 system, yet contains over 500 customers. Poul-Henning Kamp wrote: > In message <19990925171712.A80535@zenon.net>, Alexander Bezroutchko writes: > > >* ping, traceroute doesn't work due to lack of permissionis to create icmp socket. > > I think it is simple to make workaround for such problems: > > create a daemon listening on a unix domain socket for request from a jail. > > Daemon will take request and the pid of requesting process, validate it, > > process and return answer to client. > > That would work. > > >* only one IP address is available in jail > > It is acceptable limitation, but some daemons would like to use localhost > > address (127.0.0.1). > > 127.0.0.1 is mapped to the jail address. telnet localhost does what > you'd expect it to. > > >* whole kernel MIB is readable, and kern.hostname is writable from jail > > I think we should restrict information about system available from jail -- > > leave readable only data required for proper work of libc > > functions like gethostname,getpagesize,sysconf, etc. > > kern.hostname only writes the name for that jail. > > > If we leave kern.hostname writable from jail, we should > > add new field to `struct jail', say `jailname'. > > It's called "p_prison->pr_host" and it was there from day #1. > > > And > > /proc/<PID>/status must show this value. > > It already does. > > >* scheduling > > Scheduler must provide equal time quantum to each jail. I think > > something like "fair share scheduler" required. Is there any plans > > to implement such scheme in FreeBSD ? > > Not from me. > > >* resource limits > > Current resource limit scheme does not provide enough isolation of jails. > > no plans. > > >* it is possible to escape from jail > > Following program escapes from jail (tested under 4.0-19990918-CURRENT): > > You're right, I've overlooked that one. Will fix. > > >Does anybody already encountered and solved problems described above > >or have an ideas ? > > No, this is the first one I've heard about. > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37EE876A.C55AC0E0>