Re: chroot or jail

• Previous message: Christopher Nehren: "Re: Log Files"
• In reply to: Davide Cittaro: "Re: chroot or jail"
• Next in thread: Davide Cittaro: "Re: chroot or jail"
• Reply: Davide Cittaro: "Re: chroot or jail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 01 Sep 2005 22:33:05 GMT

On 2005-09-01, Davide Cittaro scribbled these
curious markings:
> John Smith <someone@internet.com> wrote:
>
>> What is the easiest way of knowning what files you need when you start
>> chrooting the files?
>>
>
> Meaning what? when you build a jail you have a *complete* FreeBSD system
> inside it, except for the kernel.

If you follow the instructions in jail(8) and don't remove
anything, then that's the case. But if security and disk space
matter to you, then you'll remove bunches of things. You don't
need inetd or BIND if you're running a standalone Apache, for
example.

>> Also, what is the best document for learning about jailing processes?
>
> man jail says everything you need to know.
> Once you setup your first jail it will take few minutes to setup the
> others (except for copying/compiling stuff).
> There are also some jail utils in the ports tree (can't recall where...
> sorry). They help you in setting/starting/stopping jails but I'm sure
> you can do it without.

Most (all?) jail utilities live under sysutils/. This will show
you a number of them:

cd /usr/ports && make search key=jail

Best Regards,
Christopher Nehren

-- 
I abhor a system designed for the "user", if that word is a coded
pejorative meaning "stupid and unsophisticated". -- Ken Thompson
If you ask questions of idiots, you get "Joel on Software".
Unix is user friendly. However, it isn't idiot friendly.

• Previous message: Christopher Nehren: "Re: Log Files"
• In reply to: Davide Cittaro: "Re: chroot or jail"
• Next in thread: Davide Cittaro: "Re: chroot or jail"
• Reply: Davide Cittaro: "Re: chroot or jail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: SSH and restricting to a chroot jail ... >>> I'd like to setup ssh access to one of our machines, ... >> had a vulnerability that allowed users to escape chroot jails under ... > If you have root permitions it is easy to escape the jail. ... (comp.os.linux.security) [REVS] Chrooting Daemons and System Processes HOW-TO ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... what chrooting is, how to chroot daemons and how to make sure they are ... used to jail users in multi-user environments to protect system files. ... Chrooting can also be used to jail system daemons to prevent them from ... (Securiteam) Re: SSH and restricting to a chroot jail ... >> I'd like to setup ssh access to one of our machines, ... If you have root permitions it is easy to escape the jail. ... (comp.os.linux.security) Re: Adding a default route for a specific NIC ... The jail I've setup will serve sites on various IP addresses. ... there is a gateway machine that's setup to NAT ... > the traffic out to the internet. ... (freebsd-questions) [FBSD6] compiling i386-ports on a AMD64 ... I would like to compile/update ports für my i386 machines on an AMD64 and I'm wondering how to do this. ... checking host system type... ... The jail was setup like this: ... (comp.unix.bsd.freebsd.misc)