Should I use jail?

Phil Regnauld regnauld at x0.dk
Sun Feb 16 15:18:09 UTC 2014


A.J. 'Fonz' van Werven (freebsd) writes:
> Thomas Steen Rasmussen wrote:
> 
> > For what it's worth I never, ever run any service without running it in
> > a jail.
> 
> Smartass comment: if that includes ntpd or a master NIS server, would you
> care to divulge how you did that?

	I don't know why the NIS server would be any different, but for services
	that require access to devices (say, ntpd talking to a GPS over USB), you
	define new devfs rules to unhide the requisite /dev/ entries for the
	jails running the service. I do this for OpenDNSSEC using a smartcard
	reader.

	Here's a devfs.conf entry to make it possible to access BPF (for tcpdump
	among other things - but beware of giving access to raw devices this
	way) and ugen* devices under /dev/

[devfsrules_jail_bpf=5]
add include $devfsrules_jail
add path 'bpf*' unhide
add path 'ugen0.*' unhide

	Cheers,
	Phil


More information about the freebsd-stable mailing list