Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Apr 2005 14:22:28 +0000
From:      "Jas arlerr" <jas_arlerr@hotmail.com>
To:        joerg@britannica.bec.de, freebsd-hackers@freebsd.org
Subject:   Re: Configuration differences for jails
Message-ID:  <BAY2-F145FE52845E264507F3634F22D0@phx.gbl>
next in thread | raw e-mail | index | archive | help 


>From: Joerg Sonnenberger <joerg@britannica.bec.de>
>To: freebsd-hackers@freebsd.org
>Subject: Re: Configuration differences for jails
>Date: Thu, 21 Apr 2005 13:43:59 +0200
>
>On Thu, Apr 21, 2005 at 07:39:08AM -0400, c0ldbyte wrote:
> > Now if that last question is correct and thats the proccess you are 
using
> > to create a jail then depending on the situation wouldnt that inturn
> > defeat some of the main purposes of the jail, like the following. If 
you
> > mounted your "/bin" on "/mnt/jail/bin" then if a person that was 
looking
> > to break in and effect the system that is currently locked in the 
"jail"
> > all he would have to do is just write something to the "jail/bin" which 
is
> > actualy your root "/bin" and then the next time a binary is used from 
your
> > root directories it could still infect the rest of the system 
ultimately
> > defeating the purpose of what you just set up. To my understanding and 
use
> > a jail is somewhat totaly independent of the OS that it resides in and
> > wont be if you are using nullfs to mount root binary directories on it.
>
>ro mount as written by grant parent protects against this.
>
I am not very familar with mount_nullfs, but i think it is _one_ copy with 
_multiple_ 
references(FIXME).So if we modify something in one jail, the same effect 
will
also impose on other jails,even the real machine. Due to this problem,
readonly mounts may be a good choice.
BUT if we do some things related to the /etc files, such as passwd, ro 
mounts can 
not deal with this situation because different jails need different passwd 
files for
private users.
So I think this can only be done by making a copy of relevant files but not 
ro
mounts.
Any idea?

regards
Jas

_________________________________________________________________
享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY2-F145FE52845E264507F3634F22D0>