restrictions between host and jail

Tommy Pham tommyhp2 at yahoo.com
Thu Feb 21 19:10:00 UTC 2008 

--- Alexander Leidinger <Alexander at Leidinger.net> wrote:

> Quoting Tommy Pham <tommyhp2 at yahoo.com> (from Thu, 21 Feb 2008  
> 04:16:58 -0800 (PST)):
> 
> > Hi,
> >
> > Could someone please explain to me the difference between host and
> jail
> > when the security.jail settings are as follow:
> >
> > security.jail.mount_allowed: 1
> 
> You are allowed to use mount inside the jail.
> 
> > security.jail.chflags_allowed: 1
> 
> You are allowed to change file flags.
> 
> > security.jail.allow_raw_sockets: 1
> 
> You can ping from inside the jail (actually: you can create any kind 
> 
> of network traffic, not only system generated TCP/UDP packets, the  
> most visible change from an user point of view is that you can ping).
> 
> > security.jail.enforce_statfs: 2
> 
> Don't display FSes outside of a jail to processes inside a jail.
> 
> > security.jail.sysvipc_allowed: 1
> 
> You can use sysv shared resource (ipcs -a) in a jail. Warning: this  
> means that every jail is able to access the same shared resources, if
>  
> they belong to the same jail or not.
> 
> > security.jail.socket_unixiproute_only: 1
> 
> Have a look at the man page of jail, I can not produce a shorter  
> explanation (and I would have to look it up there myself to get the  
> details right).
> 
> > security.jail.set_hostname_allowed: 1
> 
> You are allowed to change your hostname from inside the jail. A
> change  
> would affect the data in /proc (have a look at the man page of jail
> to  
> read more).
> 
> Bye,
> Alexander.
> 
> -- 
> To see the IP addresses currently set on your active interfaces, type
> "ifconfig -u".
> 		-- Dru <genesis at istar.ca>
> 
> http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID =
> B0063FE7
> http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID =
> 72077137
> 

Hi Alexander,

Thanks for the reply.  I understand what those options but What I'm
trying to ask is as I've set those options for the jails, what other
differences are there between host & jail environment since turning on
those options lessen the jail's restriction of resources similar or
exactly as in host environment?

Thanks,
Tommy

More information about the freebsd-jail mailing list