Re: Sharing directories with jails

• Previous message: Dan Nelson: "Re: SCSI problem on a IBM xSeries x206"
• In reply to: Chris Hodgins: "Sharing directories with jails"
• Next in thread: Chris Hodgins: "Re: Sharing directories with jails"
• Reply: Chris Hodgins: "Re: Sharing directories with jails"
• Reply: Emanuel Strobl: "Re: Sharing directories with jails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 3 Mar 2005 11:04:32 -0500 (EST)
To: "Chris Hodgins" <chodgins@cis.strath.ac.uk>

> How dangerous is it to share the ports directory with jails on the
> system? I am using the jails to give other access to a freebsd system.
> You can assume they are untrusted (hence the jail ;)).
>
> Is it enough just to:
> ln -s /usr/ports /usr/jail/ajail/usr/ports

That won't work. The jail does a chroot (along with other things) when it
starts up so the link inside the jail will wind up pointing to itself.

The only way I've been able to figure out how to do something like that is
by running an NFS server outside the jail and then run an NFS client
inside the jail to get access to the disk space outside the jail via NFS.
I actually have a separate jail for the NFS server and export everything
read-only.

Now, I'm sure you've thought of this but I'm going to say it for anyone
reading the archives. You do know that giving the jailed processes access
to anything outside the jail will reduce the security advantages of having
a jail in the first place?

Besides, why would you provide a jailed process with access to development
tools? You are just making it much easier for anyone with access to the
jail to build/install software to help them break out of the jail.

> Thanks
> Chris

-- 
Ean Kingston
    E-Mail: ean_AT_hedron_DOT_org
 PGP KeyID: 1024D/CBC5D6BB
       URL: http://www.hedron.org/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Dan Nelson: "Re: SCSI problem on a IBM xSeries x206"
• In reply to: Chris Hodgins: "Sharing directories with jails"
• Next in thread: Chris Hodgins: "Re: Sharing directories with jails"
• Reply: Chris Hodgins: "Re: Sharing directories with jails"
• Reply: Emanuel Strobl: "Re: Sharing directories with jails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Sharing directories with jails ... > starts up so the link inside the jail will wind up pointing to itself. ... > I actually have a separate jail for the NFS server and export everything ... planning on providing a FreeBSD jail for any member of a geek society I ... (freebsd-questions) Re: Sharing directories with jails ... März 2005 17:04 schrieb Ean Kingston: ... >> How dangerous is it to share the ports directory with jails on the ... > starts up so the link inside the jail will wind up pointing to itself. ... > by running an NFS server outside the jail and then run an NFS client ... (freebsd-questions) Re: performance of jailed processes ... > Can anyone explain why jailed processes seem to perform much worse ... running a query against a remote MySQL server from ... > inside a jail takes an order of magnitude more time than from outside ... which suggests that lots of linked lists are being ... (freebsd-current) performance of jailed processes ... Can anyone explain why jailed processes seem to perform much worse ... running a query against a remote MySQL server from ... inside a jail takes an order of magnitude more time than from outside ... space inside the jail is a nullfs mount, ... (freebsd-current) jail and chflags [patch] ... I trust these jailed processes, as I'm using jails to allow different ... More confusingly it seems that chflags IS allowed in -current jails ... chflags is permitted in a jail.. ... should return 0 for a jailed root and thus allow it... ... (freebsd-current)