restrictions between host and jail
Alexander Leidinger
Alexander at Leidinger.net
Thu Feb 21 14:16:46 UTC 2008
Quoting Tommy Pham <tommyhp2 at yahoo.com> (from Thu, 21 Feb 2008
04:16:58 -0800 (PST)):
> Hi,
>
> Could someone please explain to me the difference between host and jail
> when the security.jail settings are as follow:
>
> security.jail.mount_allowed: 1
You are allowed to use mount inside the jail.
> security.jail.chflags_allowed: 1
You are allowed to change file flags.
> security.jail.allow_raw_sockets: 1
You can ping from inside the jail (actually: you can create any kind
of network traffic, not only system generated TCP/UDP packets, the
most visible change from an user point of view is that you can ping).
> security.jail.enforce_statfs: 2
Don't display FSes outside of a jail to processes inside a jail.
> security.jail.sysvipc_allowed: 1
You can use sysv shared resource (ipcs -a) in a jail. Warning: this
means that every jail is able to access the same shared resources, if
they belong to the same jail or not.
> security.jail.socket_unixiproute_only: 1
Have a look at the man page of jail, I can not produce a shorter
explanation (and I would have to look it up there myself to get the
details right).
> security.jail.set_hostname_allowed: 1
You are allowed to change your hostname from inside the jail. A change
would affect the data in /proc (have a look at the man page of jail to
read more).
Bye,
Alexander.
--
To see the IP addresses currently set on your active interfaces, type
"ifconfig -u".
-- Dru <genesis at istar.ca>
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-jail
mailing list