Clarification: "Jail" -vs- "Chroot"
Julian Fagir
gnrp at gnrp.in-berlin.de
Tue Jul 13 18:21:46 UTC 2010
Hi,
> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
Yes, it has both of them. You still want to use chroot, also it is kind of
'part' of a jail (technically perhaps it's implemented separately).
> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
In Solaris, you have zones, and there are several projects to do the same
thing with Linux (Linux-vserver etc).
> 3.) When reading something (book, article, etc.), is there a way to
> determine if the author is, in fact, talking about truly a "jail" or
> are they really just referring to a "chroot" environment? For example,
> I have a book ("Preventing web attacks with Apache") that says:
>
> "Chroot is short for change root and essentially allows you to run
> programs in a protected or jailed environment. The main benefit of a
> chroot jail is that the jail will limit the portion of the file system
> the daemon can see to the root directory of the jail. Additionally,
> since the jail only needs to support Apache, the programs available in
> the jail can be extremely limited."
Usually, only FreeBSD-specific books will talk about jails, as chroot is the
generic Unix-way for that. Anyway, in many cases you can use a jail for the
same things a chroot-environment is talked about.
In this case, I think he's really talking about a chroot, as he's only
talking about the file system, not the network etc.
> 4.) Jail is the more secure of the two options?
I cannot really answer this, but a jail is the more separated way. So, I
would say, a jail is more secure. If the extras of a jail are not needed, it
is perhaps more insecure, as there are more points to break into theu system.
But, don't rely on my answer, I never looked at the kernel-side of jails the
very technical way.
> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
> edition of "Absolute FreeBSD" says:
>
> "Chrooting is useful for web servers that have multiple clients on one
> machine—that is, web servers with many virtual hosts."
On the FreeBSD-machines I manage, I use chroot for the services that are not
that security-relevant or can easily be separated, i.e. on some
distributions you can put your apache or bind easily into a
chroot-environment.
Also, a chroot-environment can have other targets than a jail, e.g. if you
only want to have another file system-visibility instead of a new jail as you
do when you have to start with a live-cd into a non-booting system.
Sorry for my English. :)
Regards, Julian
More information about the freebsd-questions
mailing list