Idea about 'skeleton jail
Chris Hodgins
chodgins at cis.strath.ac.uk
Sun Mar 13 03:59:04 PST 2005
Denis Shaposhnikov wrote:
>>>>>>"Frank" == Frank Knobbe <frank at knobbe.us> writes:
>
>
> Frank> If you nullfs these directories, you loose the ability to
> Frank> prune the jail. Pruning is part of system hardening. I'd
>
> May be it's better to use unionfs, so anybody can replace binaries
> with their stub version pre jail.
>
This might be a very stupid idea but how about a jailfs. Now I don't
know all that much about filesystem design so bear with me. How about
something like this:
# ls /usr/jail
fulljail smalljail fulljail.conf smalljail.conf
# cd /usr/jail/fulljail
# ls
dev etc home
# cat ../fulljail.conf
allow-all read-only
ignore
/dev
/etc
/usr/home
allow read-write
/usr/ports/distfiles
# cd ../smalljail
# ls
# cat ../smalljail.conf
ignore-all
allow read-only
/bin
/usr/bin
allow read-write
/usr/home
# cd /usr/jail
# jail /usr/jail/fulljail fulljail 127.0.0.1 /bin/sh /etc/rc
# jexec 1 ls
COPYRIGHT boot compat dist etc lib mnt rescue sbin sys
usr bin cdrom dev entropy home libexec proc root stand tmp var
# jail /usr/jail/smalljail smalljail 127.0.0.1 /bin/sh
/home/myhome/specialtask.sh
# jexec 2 ls
bin usr home
#
SO the jail filesystem is configured at jail-creation time and uses the
hosts files or jail files depending on the configuration. Might have to
pass the config file into the jail command.
As I said I am not an expert. Mabye one of the experts could let me
know what they think?
Chris
More information about the freebsd-hackers
mailing list