On Mon, 22 Sep 2008, Matt Fioravante wrote:
I want to implement a number of jails for different services on a single box. Since /usr is the same everywhere I'd like to just mount one copy of it read-only to all the jails and then have them each have their own /usr/local Someone recommended keeping the main system's /usr separate. This would mean building a /usr for the main system and then making a copy of it to be shared by the jails. Aesthetics and philosophy aside, are there any real security holes in just using the systems /usr everywhere if it is mounted read only in the jails? THis seems to be the approach used by solaris zones.
For a couple of years, I shared /usr on a dozen of hosts by NFS. Worked fine, but I mounted it read-only on all but one box. Thus, I had to symlink very few files or directories out from /usr to /var.
For security and reliability, I'd recommend to limit read-write access to /usr.
Best regards Konrad Heuer GWDG, Am Fassberg, 37077 Goettingen, Germany, [EMAIL PROTECTED] _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"