Sharing directories with jails
Chris Hodgins
chodgins at cis.strath.ac.uk
Thu Mar 3 09:37:47 PST 2005
Ean Kingston wrote:
>>How dangerous is it to share the ports directory with jails on the
>>system? I am using the jails to give other access to a freebsd system.
>> You can assume they are untrusted (hence the jail ;)).
>>
>>Is it enough just to:
>>ln -s /usr/ports /usr/jail/ajail/usr/ports
>
>
> That won't work. The jail does a chroot (along with other things) when it
> starts up so the link inside the jail will wind up pointing to itself.
Doh! :)
>
> The only way I've been able to figure out how to do something like that is
> by running an NFS server outside the jail and then run an NFS client
> inside the jail to get access to the disk space outside the jail via NFS.
> I actually have a separate jail for the NFS server and export everything
> read-only.
Interesting idea.
>
> Now, I'm sure you've thought of this but I'm going to say it for anyone
> reading the archives. You do know that giving the jailed processes access
> to anything outside the jail will reduce the security advantages of having
> a jail in the first place?
Well I wasn't sure about this...hence the question.
>
> Besides, why would you provide a jailed process with access to development
> tools? You are just making it much easier for anyone with access to the
> jail to build/install software to help them break out of the jail.
>
>
>>Thanks
>>Chris
>
>
Ok perhaps I should clarify what my intentions are a little more. I am
planning on providing a FreeBSD jail for any member of a geek society I
am a member of. When I say they are untrusted, I mean that I won't be
giving them full root access to my server but I trust them enough not to
do anything malicious inside a jail. It is just like a fun place they
can play and not have to worry to much about breaking things.
How easy is it exactly to break out of a jail if you have access to
development tools?
Chris
More information about the freebsd-questions
mailing list