Should I use jail?
Phil Regnauld
regnauld at x0.dk
Sun Feb 16 15:18:09 UTC 2014
A.J. 'Fonz' van Werven (freebsd) writes:
> Thomas Steen Rasmussen wrote:
>
> > For what it's worth I never, ever run any service without running it in
> > a jail.
>
> Smartass comment: if that includes ntpd or a master NIS server, would you
> care to divulge how you did that?
I don't know why the NIS server would be any different, but for services
that require access to devices (say, ntpd talking to a GPS over USB), you
define new devfs rules to unhide the requisite /dev/ entries for the
jails running the service. I do this for OpenDNSSEC using a smartcard
reader.
Here's a devfs.conf entry to make it possible to access BPF (for tcpdump
among other things - but beware of giving access to raw devices this
way) and ugen* devices under /dev/
[devfsrules_jail_bpf=5]
add include $devfsrules_jail
add path 'bpf*' unhide
add path 'ugen0.*' unhide
Cheers,
Phil
More information about the freebsd-stable
mailing list