Re: Sharing directories with jails
On Thursday 03 March 2005 05:23 pm, Ean Kingston wrote: On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: [cut original question and answer] Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? http://www.securiteam.com/unixfocus/5WP031535U.html How current is this? The article appears to be dated 2001. Are there still buffer-overflow issues with /proc? 5.3 and later no longer need proc and it's not mounted by default. If you use securelevels you can a sigificantly improve security. -- Anish Mistry The jail manpage instructs to mount proc when starting a jail and the /etc/rc.d/jail scripts mounts both devfs and procfs. Are you saying this is not needed and if so why and how to disable? Thanks. -- Viren Patel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sharing directories with jails
On Friday 04 March 2005 10:24 am, Viren Patel wrote: On Thursday 03 March 2005 05:23 pm, Ean Kingston wrote: On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: [cut original question and answer] Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? http://www.securiteam.com/unixfocus/5WP031535U.html How current is this? The article appears to be dated 2001. Are there still buffer-overflow issues with /proc? 5.3 and later no longer need proc and it's not mounted by default. If you use securelevels you can a sigificantly improve security. -- Anish Mistry The jail manpage instructs to mount proc when starting a jail and the /etc/rc.d/jail scripts mounts both devfs and procfs. Are you saying this is not needed and if so why and how to disable? Thanks. The man page is bit out of date and needs to updated. The jail script doesn't mount either dev or proc by default, and there should be no reason to mount /proc under normal conditions. For your jail named jailname in rc.conf add the following to automatically mount devfs with the default jail ruleset: jail_jailname_devfs_enable=YES jail_jailname_devfs_ruleset=devfsrules_jail -- Anish Mistry pgpc6A7IVEx3T.pgp Description: PGP signature
Re: Sharing directories with jails
How dangerous is it to share the ports directory with jails on the system? I am using the jails to give other access to a freebsd system. You can assume they are untrusted (hence the jail ;)). Is it enough just to: ln -s /usr/ports /usr/jail/ajail/usr/ports That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself. The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client inside the jail to get access to the disk space outside the jail via NFS. I actually have a separate jail for the NFS server and export everything read-only. Now, I'm sure you've thought of this but I'm going to say it for anyone reading the archives. You do know that giving the jailed processes access to anything outside the jail will reduce the security advantages of having a jail in the first place? Besides, why would you provide a jailed process with access to development tools? You are just making it much easier for anyone with access to the jail to build/install software to help them break out of the jail. Thanks Chris -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sharing directories with jails
Ean Kingston wrote: How dangerous is it to share the ports directory with jails on the system? I am using the jails to give other access to a freebsd system. You can assume they are untrusted (hence the jail ;)). Is it enough just to: ln -s /usr/ports /usr/jail/ajail/usr/ports That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself. Doh! :) The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client inside the jail to get access to the disk space outside the jail via NFS. I actually have a separate jail for the NFS server and export everything read-only. Interesting idea. Now, I'm sure you've thought of this but I'm going to say it for anyone reading the archives. You do know that giving the jailed processes access to anything outside the jail will reduce the security advantages of having a jail in the first place? Well I wasn't sure about this...hence the question. Besides, why would you provide a jailed process with access to development tools? You are just making it much easier for anyone with access to the jail to build/install software to help them break out of the jail. Thanks Chris Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sharing directories with jails
On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: Ean Kingston wrote: How dangerous is it to share the ports directory with jails on the system? I am using the jails to give other access to a freebsd system. You can assume they are untrusted (hence the jail ;)). Is it enough just to: ln -s /usr/ports /usr/jail/ajail/usr/ports That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself. Doh! :) The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client inside the jail to get access to the disk space outside the jail via NFS. I actually have a separate jail for the NFS server and export everything read-only. Interesting idea. Now, I'm sure you've thought of this but I'm going to say it for anyone reading the archives. You do know that giving the jailed processes access to anything outside the jail will reduce the security advantages of having a jail in the first place? Well I wasn't sure about this...hence the question. Besides, why would you provide a jailed process with access to development tools? You are just making it much easier for anyone with access to the jail to build/install software to help them break out of the jail. Thanks Chris Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? http://www.securiteam.com/unixfocus/5WP031535U.html If you use securelevels you can a sigificantly improve security. -- Anish Mistry pgpUtMcUCdSKW.pgp Description: PGP signature
Re: Sharing directories with jails
On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: [cut original question and answer] Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? http://www.securiteam.com/unixfocus/5WP031535U.html How current is this? The article appears to be dated 2001. Are there still buffer-overflow issues with /proc? If you use securelevels you can a sigificantly improve security. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sharing directories with jails
On Thursday 03 March 2005 05:23 pm, Ean Kingston wrote: On Thursday 03 March 2005 12:42 pm, Chris Hodgins wrote: [cut original question and answer] Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things. How easy is it exactly to break out of a jail if you have access to development tools? http://www.securiteam.com/unixfocus/5WP031535U.html How current is this? The article appears to be dated 2001. Are there still buffer-overflow issues with /proc? 5.3 and later no longer need proc and it's not mounted by default. If you use securelevels you can a sigificantly improve security. -- Anish Mistry pgpQ4cZxqoqqA.pgp Description: PGP signature
Re: Sharing directories with jails
Am Donnerstag, 3. März 2005 17:04 schrieb Ean Kingston: How dangerous is it to share the ports directory with jails on the system? I am using the jails to give other access to a freebsd system. You can assume they are untrusted (hence the jail ;)). Is it enough just to: ln -s /usr/ports /usr/jail/ajail/usr/ports That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself. The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client You can also use nullfs (man (8) mount_nullfs). It's slow and not certified to be bugfree but I never had any problems and especially for centralized ports very useful. -Harry pgp5UusRj7wtv.pgp Description: PGP signature
RE: Sharing directories with jails
Emanuel Strobl wrote: You can also use nullfs (man (8) mount_nullfs). It's slow and not certified to be bugfree but I never had any problems and especially for centralized ports very useful. What has given you the idea that nullfs is slow? I'm using it extensively and have not noticed any significant slowdown. Under what usecase(s) is it slow? (My usage is mainly for medium to large files, with 200 files per directory.) /Daniel Eriksson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sharing directories with jails
Daniel Eriksson wrote: Emanuel Strobl wrote: You can also use nullfs (man (8) mount_nullfs). It's slow and not certified to be bugfree but I never had any problems and especially for centralized ports very useful. What has given you the idea that nullfs is slow? I'm using it extensively and have not noticed any significant slowdown. Under what usecase(s) is it slow? (My usage is mainly for medium to large files, with 200 files per directory.) /Daniel Eriksson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Thanks for your help. I have used nullfs to get this working and it works fine. Thanks Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sharing directories with jails
Am Freitag, 4. März 2005 01:50 schrieb Daniel Eriksson: Emanuel Strobl wrote: You can also use nullfs (man (8) mount_nullfs). It's slow and not certified to be bugfree but I never had any problems and especially for centralized ports very useful. What has given you the idea that nullfs is slow? I'm using it extensively and have not noticed any significant slowdown. Under what usecase(s) is it slow? (My usage is mainly for medium to large files, with 200 files per directory.) Some perfomance benchmarks at 5.3 release cycle showed that the way nullfs works is suboptimal, also file backed memory devices are very slow, but I'm no developer so I can't explain you exactly why. Perhaps someone had a look at this in the meantime, I didn't do any tests since then but I also saw no commit log which indicates that people were working on that. -Harry /Daniel Eriksson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgpj512rNf5jv.pgp Description: PGP signature