Jail security
Jorn Argelo
jorn at wcborstel.nl
Mon Mar 7 08:16:25 PST 2005
On Mon, 07 Mar 2005 17:04:41 +0100, Frank de Bot wrote
> Hi,
>
> I've set up a jail. But I don't have any idea how safe a jail is.
> Often is told chroot and jails can be escaped. How safe is it to
> give other people user access to a jailed environment? or maybe even
> root...
A jailed process cannot leave its jail. Unless some exploit is being found in
jail itself, but that's rather unlikely. A cracker can only mess up your jail
and not your entire host. So if you build 4 jails for Apache, MySQL, Squid and
Postfix for instance, each of those processes will only run in its jail and
cannot interact with another jail or the host. Which is more secure then just
putting everything on your host.
Another major advantage of jails is that you can experiment at will without
touching your production enviroment. Just create a jail and install apache in
the other jail. Once you are finished and it works, just amend your firewall
settings and you're ready to go.
If you're experienced enough I'd encourage you to use them. It can be
complicated for a newbie, but if you know your way around FreeBSD and the
command line, you should really use jails.
Jorn.
More information about the freebsd-questions
mailing list