Sharing directories with jails

[Chris Hodgins]

Ean Kingston wrote:
>>How dangerous is it to share the ports directory with jails on the
>>system?  I am using the jails to give other access to a freebsd system.
>>  You can assume they are untrusted (hence the jail ;)).
>>
>>Is it enough just to:
>>ln -s /usr/ports /usr/jail/ajail/usr/ports
> 
> 
> That won't work. The jail does a chroot (along with other things) when it
> starts up so the link inside the jail will wind up pointing to itself.

Doh! :)

> 
> The only way I've been able to figure out how to do something like that is
> by running an NFS server outside the jail and then run an NFS client
> inside the jail to get access to the disk space outside the jail via NFS.
> I actually have a separate jail for the NFS server and export everything
> read-only.

Interesting idea.

> 
> Now, I'm sure you've thought of this but I'm going to say it for anyone
> reading the archives. You do know that giving the jailed processes access
> to anything outside the jail will reduce the security advantages of having
> a jail in the first place?

Well I wasn't sure about this...hence the question.

> 
> Besides, why would you provide a jailed process with access to development
> tools? You are just making it much easier for anyone with access to the
> jail to build/install software to help them break out of the jail.
> 
> 
>>Thanks
>>Chris
> 
> 

Ok perhaps I should clarify what my intentions are a little more.  I am 
planning on providing a FreeBSD jail for any member of a geek society I 
am a member of.  When I say they are untrusted, I mean that I won't be 
giving them full root access to my server but I trust them enough not to 
do anything malicious inside a jail.  It is just like a fun place they 
can play and not have to worry to much about breaking things.

How easy is it exactly to break out of a jail if you have access to 
development tools?

Chris