Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Sep 1999 15:51:54 -0500
From:      TrouBle <trouble@hackfurby.com>
To:        Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc:        Alexander Bezroutchko <abb@zenon.net>, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG
Subject:   Re: about jail
Message-ID:  <37EE876A.C55AC0E0@hackfurby.com>
References:  <11744.938266471@critter.freebsd.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
there is a simplistic way to create chrooted/jailed virtual servers for many clients
domains... without getting into the nasty of bsd code.... i do it daily with one small
program.. and have all services available to many virtual customers/domains on a box.
that to the customer looks like 1 system, yet contains over 500 customers.

Poul-Henning Kamp wrote:

> In message <19990925171712.A80535@zenon.net>, Alexander Bezroutchko writes:
>
> >* ping, traceroute doesn't work due to lack of permissionis to create icmp socket.
> > I think it is simple to make workaround for such problems:
> > create a daemon listening on a unix domain socket for request from a jail.
> > Daemon will take request and the pid of requesting process, validate it,
> > process and return answer to client.
>
> That would work.
>
> >* only one IP address is available in jail
> > It is acceptable limitation, but some daemons would like to use localhost
> > address (127.0.0.1).
>
> 127.0.0.1 is mapped to the jail address.  telnet localhost does what
> you'd expect it to.
>
> >* whole kernel MIB is readable, and kern.hostname is writable from jail
> > I think we should restrict information about system available from jail --
> > leave readable only data required for proper work of libc
> > functions like gethostname,getpagesize,sysconf, etc.
>
> kern.hostname only writes the name for that jail.
>
> > If we leave kern.hostname writable from jail, we should
> > add new field to `struct jail', say `jailname'.
>
> It's called "p_prison->pr_host" and it was there from day #1.
>
> > And
> > /proc/<PID>/status must show this value.
>
> It already does.
>
> >* scheduling
> > Scheduler must provide equal time quantum to each jail. I think
> > something like "fair share scheduler" required. Is there any plans
> > to implement such scheme in FreeBSD ?
>
> Not from me.
>
> >* resource limits
> > Current resource limit scheme does not provide enough isolation of jails.
>
> no plans.
>
> >* it is possible to escape from jail
> > Following program escapes from jail (tested under 4.0-19990918-CURRENT):
>
> You're right, I've overlooked that one.  Will fix.
>
> >Does anybody already encountered and solved problems described above
> >or have an ideas ?
>
> No, this is the first one I've heard about.
>
> --
> Poul-Henning Kamp             FreeBSD coreteam member
> phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
> FreeBSD -- It will take a long time before progress goes too far!
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37EE876A.C55AC0E0>