Sharing directories with jails

Anish Mistry mistry.7 at osu.edu
Thu Mar 3 10:12:56 PST 2005 

On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote:
> Ean Kingston wrote:
> >>How dangerous is it to share the ports directory with jails on
> >> the system?  I am using the jails to give other access to a
> >> freebsd system. You can assume they are untrusted (hence the
> >> jail ;)).
> >>
> >>Is it enough just to:
> >>ln -s /usr/ports /usr/jail/ajail/usr/ports
> >
> > That won't work. The jail does a chroot (along with other things)
> > when it starts up so the link inside the jail will wind up
> > pointing to itself.
>
> Doh! :)
>
> > The only way I've been able to figure out how to do something
> > like that is by running an NFS server outside the jail and then
> > run an NFS client inside the jail to get access to the disk space
> > outside the jail via NFS. I actually have a separate jail for the
> > NFS server and export everything read-only.
>
> Interesting idea.
>
> > Now, I'm sure you've thought of this but I'm going to say it for
> > anyone reading the archives. You do know that giving the jailed
> > processes access to anything outside the jail will reduce the
> > security advantages of having a jail in the first place?
>
> Well I wasn't sure about this...hence the question.
>
> > Besides, why would you provide a jailed process with access to
> > development tools? You are just making it much easier for anyone
> > with access to the jail to build/install software to help them
> > break out of the jail.
> >
> >>Thanks
> >>Chris
>
> Ok perhaps I should clarify what my intentions are a little more. 
> I am planning on providing a FreeBSD jail for any member of a geek
> society I am a member of.  When I say they are untrusted, I mean
> that I won't be giving them full root access to my server but I
> trust them enough not to do anything malicious inside a jail.  It
> is just like a fun place they can play and not have to worry to
> much about breaking things.
>
> How easy is it exactly to break out of a jail if you have access to
> development tools?
>

http://www.securiteam.com/unixfocus/5WP031535U.html

If you use securelevels you can a sigificantly improve security.

-- 
Anish Mistry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050303/ffba07c9/attachment.bin

More information about the freebsd-questions mailing list