Sharing directories with jails

Anish Mistry mistry.7 at osu.edu
Fri Mar 4 07:51:46 PST 2005 

On Friday 04 March 2005 10:24 am, Viren Patel wrote:
> > On Thursday 03 March 2005 05:23 pm, Ean Kingston wrote:
> >> > On Thursday 03 March 2005 12:42 pm, Chris Hodgins
> >>
> >> wrote:
> >>
> >> [cut original question and answer]
> >>
> >> >> Ok perhaps I should clarify what my intentions are a
> >>
> >> little
> >>
> >> >> more. I am planning on providing a FreeBSD jail for
> >>
> >> any member
> >>
> >> >> of a geek society I am a member of.  When I say they
> >>
> >> are
> >>
> >> >> untrusted, I mean that I won't be giving them full
> >>
> >> root access
> >>
> >> >> to my server but I trust them enough not to do
> >>
> >> anything
> >>
> >> >> malicious inside a jail.  It is just like a fun place
> >>
> >> they can
> >>
> >> >> play and not have to worry to much about breaking
> >>
> >> things.
> >>
> >> >> How easy is it exactly to break out of a jail if you
> >>
> >> have access
> >>
> >> >> to development tools?
> >> >
> >> > http://www.securiteam.com/unixfocus/5WP031535U.html
> >>
> >> How current is this? The article appears to be dated
> >> 2001. Are
> >> there still buffer-overflow issues with /proc?
> >
> > 5.3 and later no longer need proc and it's not mounted by
> > default.
> >
> >> > If you use securelevels you can a sigificantly improve
> >>
> >> security.
> >
> > --
> > Anish Mistry
>
> The jail manpage instructs to mount proc when starting a
> jail and the /etc/rc.d/jail scripts mounts both devfs and
> procfs. Are you saying this is not needed and if so why
> and how to disable? Thanks.
>
The man page is bit out of date and needs to updated.  The jail script 
doesn't mount either dev or proc by default, and there should be no 
reason to mount /proc under normal conditions.  For your jail named 
jailname in rc.conf add the following to automatically mount devfs 
with the default jail ruleset:
jail_jailname_devfs_enable="YES"
jail_jailname_devfs_ruleset="devfsrules_jail"

-- 
Anish Mistry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050304/168609ac/attachment.bin

More information about the freebsd-questions mailing list