On Mon, Aug 24, 2009 at 10:31 AM, Manoj Srivastava<[email protected]> wrote: > BSD jails do overcome some of the failures of chroot, and do > make it harder to escape the jail. But they offer little protection > inside the jail. There is only one IP address per jail, and no loopback > device. There are no device nodes. Some applications won't run under > these conditions.
I would say "many" here rather than "some", possibly even "most". It was a complete pain when I tried it a few years back. It wouldn't even work with a standard LAMP stack. It kept forcing me to copy files from the OS into the jail until I had enough and just gave up. Might as well just use a VM and put a whole OS on there, seems that would have been my end result. > Also, http://en.wikipedia.org/wiki/SELinux has a decent writeup, > apart from their failure to note the epic fail of apparmor because > they use path based security (but that is the subject of another > thread). Minus the "epic fail" part it looks like it's there, or did you just add it? <snip> The AppArmor system generally takes a similar approach to SELinux. One important difference is that it identifies file system objects by path name instead of inode. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link is created to it, while SELinux would deny access through the newly created hard link. </snip> -- Greg Donald http://destiney.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---
