Date: Mon, 20 Dec 2004 19:30:00 -0700 From: Brett Glass <brett@lariat.org> To: Nigel Houghton <nigel@sourcefire.com> Cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? Message-ID: <6.2.0.14.2.20041220191915.0531e798@localhost> In-Reply-To: <20041220221928.GA2698@sourcefire.com> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:19 PM 12/20/2004, Nigel Houghton wrote: >Take a look at the Jail project, you'll find it here... > > http://www.jmcresearch.com/projects/jail/ > >..and in ports/sysutils/ along with some other jail tools, it may >provide some of the features you are looking for. Looks useful. (Shame it's GPLed.) In any case, it seems to me that creation of a jail the way this tool does it (and the way most people have to do it in general) requires a lot of redundant copies of files. Wouldn't it be neat if there were a type of link (not quite soft, not quite hard; call it "firm") that would let you link to the current master copies of executables (rather than copying them) but not let the inmates out of their jails? Hard links have the disadvantage that they're broken when you upgrade an executable; soft links can't be used because, well, you're in a jail. The type of link I have in mind would be symbolic but resolved by the system behind the scenes; from inside the jail it wouldn't look like a link. --Brett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.0.14.2.20041220191915.0531e798>