Some questions about jails
Claudiu Dragalina-Paraipan
dr.clau at rdslink.ro
Wed Sep 22 11:02:29 PDT 2004
Hi,
Matteo Riondato wrote:
> Hello hackers!
>
> I've a few questions about jail(8) and hope you'll be so kind to answer
> them =)
>
> First of all: Why is procfs(5) required inside a jail (speaking about
> 5.x and 6) ? "
> As procfs is considered deprecated due to its inherent security
> risks",why should it be used inside a jail?
Maybe some software might not work without it, so it is a good thing to
have it around. You don't need to start a jail with procfs, it is your
decision.
>
> Second question: why does an "ifconfig" from inside a jail list every
> network card present in the host system? Wouldn't it be better if only
> lo0 and the interface with the jail IP are listed ? I think it will,
> because it's my personal opinion (please refute me, I can be wrong) that
> one jail's purpouses is to fool the jail users, making them believe that
> they are inside a real system. I came to this conclusion reading about
> security.jail.getfstatroot_only in jail(8).
In general, I don't think it is about fooling the jail user. It is about
isolating the user or the attacker that manages to get into the jail.
I think this is why the jail was initialy created.
Also, you might find this link interesting:
http://kerneltrap.org/node/view/3075
>
> Thank you in advance for your replies.
> Best Regards
With respect,
--
Claudiu Dragalina-Paraipan
e-mail: dr.clau at rdslink.ro
More information about the freebsd-hackers
mailing list