Jail organization

[Florian Weimer]

Harald Schmalzbauer <h at schmalzbauer.de> writes:

>>   * Both /usr and /usr/local are shared.
>>
>>     Problem: All software is available in all jails.  Some hackery is
>>     necessary to prevent most of the daemons from starting, and
>>     setuid/setgid binaries might have issues.
>
> Use mount_nullfs whenever you need more than the spezialized jail itself was 
> designed for, eg. when installing a new port 
> mount_nullfs /hostusr/ports /jailuser/ports.

If ports were resstricted to write to a few directories under /usr, I
would agree, but this doesn't seem to be the case in practice.

> Don't forget in case of a compromised jail the hacker could simply
> fill up your filesystem when you use only directories.

This is hardly an issue.  He could also fill my pipe, and it would
cost me lots of money. 8-(

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, netscape.net,
postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.