Quoting Paul Hoffman <[EMAIL PROTECTED]> (from Sun, 29 Jul 2007
11:57:45 -0700):
Greetings. I want to set up a jail for a web server. It only needs to
access the things a normal system would (its own disk space, the
network controller, the keyboard, and so on). I need to be SSHing into
the jailed system to control it.
The manpage for jail says:
NOTE: It is important that only appropriate device nodes in devfs be
exposed to a jail; access to disk devices in the jail may permit pro-
cesses in the jail to bypass the jail sandboxing by modifying files out-
side of the jail. See devfs(8) for information on how to use
devfs rules
to limit access to entries in the per-jail devfs.
What should I do for /etc/devfs.rules on the host? What should I be
excluding?
Additionally to what you already got as a response: I doubt you need
access to the keyboard in the jail. Access to the keyboeard makes only
sense if you also have a way to give access to a display. X.org will
not run in a jail without a kernel patch, and I haven't tested if you
can give access to a virtual console in a jail (if I listen to my
belly, I have my doubts that it is possible without some patches).
Some predefined rules for devfs are in /etc/defaults/devfs.rules.
Bye,
Alexander.
--
The best you get is an even break.
-- Franklin Adams
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
