From owner-freebsd-hackers Fri Nov 30 11:38:22 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by hub.freebsd.org (Postfix) with ESMTP id 1F80437B405 for ; Fri, 30 Nov 2001 11:38:14 -0800 (PST) Received: (from babolo@localhost) by aaz.links.ru (8.9.3/8.9.3) id WAA05829; Fri, 30 Nov 2001 22:44:51 +0300 (MSK) Message-Id: <200111301944.WAA05829@aaz.links.ru> Subject: Re: more on jail - suitable for multi user system ? In-Reply-To: from "Joesh Juphland" at "Nov 30, 1 00:16:50 am" To: part_lion@hotmail.com (Joesh Juphland) Date: Fri, 30 Nov 2001 22:44:50 +0300 (MSK) Cc: hackers@FreeBSD.ORG From: "."@babolo.ru MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Joesh Juphland writes: > One thing I would like to do as a hobby is start a classic multi-user unix > system and giving out shell accounts to whoever wants one. Not a money > maker, of course, but it would be fun. > > My question: does anyone have any comments on using `jail` in a public > environment like this - that is, instead of giving away individual shell > accounts, you would give away individual "jails" - basically a whole > seperate machine with its own IP and own root access, etc. ? Full jailes (that is - every jail has running sshd) requires different IP for every jail. Big IP alias list for one interface is needed. I think about whole network assignment instead of only host address for interface. It is possible sharing same IP different ports. I usually mount /etc into jail read only to prevent changes in port/jail mapping at startup and restrict local_startup="/etc/rc.d" I have startup script that automatically assigns IP and mounts for starting jail. The down side of jailed shell is restrictions for raw sockets (no ping and traceroute) and shared memory. > I am not asking about the commercial viability - it's just a hobby system. > But in terms of limiting resources (so no one user bogs down the whole > system) and in terms of security (nobody can turn rogue and bring down / > compromise the system) is this a viable option ? Jail is not ideal but is better then with no jail. There is another answer in list about resourses. > Or is jail best kept to environments where the users are in-house (trusted) Best untrasted user is dead user :-) best live untrasted user is jailed. > Another way of asking this would be, was jail developed for, and best used > for, creating a safe area for daemons like httpd, or was it developed with > running many full-blown independent systems on a single machine in mind ? I don't know developer's mind, but safe area for daemons like pop smtpd(any kind) named ntpd (in-pair with non-jailed ntpd) so on created by jail is good enough now. /bin/sh and friends are evils even in jail. > _any_ comments appreciated. Sorry, my English is worse then my knowledge. -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message