On Mon, 22 Sep 2008, Matt Fioravante wrote:

I want to implement a number of jails for different services on a single
box.

Since /usr is the same everywhere I'd like to just mount one copy of it
read-only to all the jails and then have them each have their own /usr/local

Someone recommended keeping the main system's /usr separate. This would mean
building a /usr for the main system and then making a copy of it
to be shared by the jails.

Aesthetics and philosophy aside, are there any real security holes in just
using the systems /usr everywhere if it is mounted read only in the jails?
THis seems to be the
approach used by solaris zones.

For a couple of years, I shared /usr on a dozen of hosts by NFS. Worked fine, but I mounted it read-only on all but one box. Thus, I had to symlink very few files or directories out from /usr to /var.

For security and reliability, I'd recommend to limit read-write access to /usr.

Best regards

Konrad Heuer
GWDG, Am Fassberg, 37077 Goettingen, Germany, [EMAIL PROTECTED]


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to