Date: Thu, 3 Mar 2005 11:04:32 -0500 (EST) From: "Ean Kingston" <ean@hedron.org> To: "Chris Hodgins" <chodgins@cis.strath.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Sharing directories with jails Message-ID: <2939.216.220.59.169.1109865872.squirrel@216.220.59.169> In-Reply-To: <4227164D.3050103@cis.strath.ac.uk> References: <4227164D.3050103@cis.strath.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> How dangerous is it to share the ports directory with jails on the > system? I am using the jails to give other access to a freebsd system. > You can assume they are untrusted (hence the jail ;)). > > Is it enough just to: > ln -s /usr/ports /usr/jail/ajail/usr/ports That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself. The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client inside the jail to get access to the disk space outside the jail via NFS. I actually have a separate jail for the NFS server and export everything read-only. Now, I'm sure you've thought of this but I'm going to say it for anyone reading the archives. You do know that giving the jailed processes access to anything outside the jail will reduce the security advantages of having a jail in the first place? Besides, why would you provide a jailed process with access to development tools? You are just making it much easier for anyone with access to the jail to build/install software to help them break out of the jail. > Thanks > Chris -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2939.216.220.59.169.1109865872.squirrel>