From owner-freebsd-hackers Sat Sep 25 12:49:32 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from bekool.com (ns2.netquick.net [216.48.34.2]) by hub.freebsd.org (Postfix) with ESMTP id E0DB814CC7; Sat, 25 Sep 1999 12:49:20 -0700 (PDT) (envelope-from trouble@hackfurby.com) Received: from bastille.netquick.net ([216.48.32.159] helo=hackfurby.com) by bekool.com with esmtp (Exim 3.03 #1) id 11Uy7D-0006Xf-00; Sat, 25 Sep 1999 20:08:15 +0000 Message-ID: <37EE876A.C55AC0E0@hackfurby.com> Date: Sun, 26 Sep 1999 15:51:54 -0500 From: TrouBle Reply-To: trouble@hackfurby.com X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Alexander Bezroutchko , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: about jail References: <11744.938266471@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG there is a simplistic way to create chrooted/jailed virtual servers for many clients domains... without getting into the nasty of bsd code.... i do it daily with one small program.. and have all services available to many virtual customers/domains on a box. that to the customer looks like 1 system, yet contains over 500 customers. Poul-Henning Kamp wrote: > In message <19990925171712.A80535@zenon.net>, Alexander Bezroutchko writes: > > >* ping, traceroute doesn't work due to lack of permissionis to create icmp socket. > > I think it is simple to make workaround for such problems: > > create a daemon listening on a unix domain socket for request from a jail. > > Daemon will take request and the pid of requesting process, validate it, > > process and return answer to client. > > That would work. > > >* only one IP address is available in jail > > It is acceptable limitation, but some daemons would like to use localhost > > address (127.0.0.1). > > 127.0.0.1 is mapped to the jail address. telnet localhost does what > you'd expect it to. > > >* whole kernel MIB is readable, and kern.hostname is writable from jail > > I think we should restrict information about system available from jail -- > > leave readable only data required for proper work of libc > > functions like gethostname,getpagesize,sysconf, etc. > > kern.hostname only writes the name for that jail. > > > If we leave kern.hostname writable from jail, we should > > add new field to `struct jail', say `jailname'. > > It's called "p_prison->pr_host" and it was there from day #1. > > > And > > /proc//status must show this value. > > It already does. > > >* scheduling > > Scheduler must provide equal time quantum to each jail. I think > > something like "fair share scheduler" required. Is there any plans > > to implement such scheme in FreeBSD ? > > Not from me. > > >* resource limits > > Current resource limit scheme does not provide enough isolation of jails. > > no plans. > > >* it is possible to escape from jail > > Following program escapes from jail (tested under 4.0-19990918-CURRENT): > > You're right, I've overlooked that one. Will fix. > > >Does anybody already encountered and solved problems described above > >or have an ideas ? > > No, this is the first one I've heard about. > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message