Re: Jail security
On Mar 7, 2005, at 9:35 AM, Frank de Bot wrote: Jorn Argelo wrote: On Mon, 07 Mar 2005 17:04:41 +0100, Frank de Bot wrote Hi, I've set up a jail. But I don't have any idea how safe a jail is. Often is told chroot and jails can be escaped. How safe is it to give other people user access to a jailed environment? or maybe even root... A jailed process cannot leave its jail. Unless some exploit is being found in jail itself, but that's rather unlikely. A cracker can only mess up your jail and not your entire host. So if you build 4 jails for Apache, MySQL, Squid and Postfix for instance, each of those processes will only run in its jail and cannot interact with another jail or the host. Which is more secure then just putting everything on your host. Another major advantage of jails is that you can experiment at will without touching your production enviroment. Just create a jail and install apache in the other jail. Once you are finished and it works, just amend your firewall settings and you're ready to go. If you're experienced enough I'd encourage you to use them. It can be complicated for a newbie, but if you know your way around FreeBSD and the command line, you should really use jails. Jorn. What if an exploit is found, then root should have the greatest chance to break out of the jail, or not? Should it be possible to assign root another UID in a jail (this is pretty unlikely I think), so IF it breaks out it will find hisself working as a user at the host system :-P I know it is not exhaustive, and other exploits for escaping chroot/jail may come up, but I have tried many o fthe common chroot ones and never had any luck escaping from a jail... Look at it this way -- if you don't use them for protection, they are already on your machine :-) This is an insulating layer. Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Jail security
Jorn Argelo wrote: On Mon, 07 Mar 2005 17:04:41 +0100, Frank de Bot wrote Hi, I've set up a jail. But I don't have any idea how safe a jail is. Often is told chroot and jails can be escaped. How safe is it to give other people user access to a jailed environment? or maybe even root... A jailed process cannot leave its jail. Unless some exploit is being found in jail itself, but that's rather unlikely. A cracker can only mess up your jail and not your entire host. So if you build 4 jails for Apache, MySQL, Squid and Postfix for instance, each of those processes will only run in its jail and cannot interact with another jail or the host. Which is more secure then just putting everything on your host. Another major advantage of jails is that you can experiment at will without touching your production enviroment. Just create a jail and install apache in the other jail. Once you are finished and it works, just amend your firewall settings and you're ready to go. If you're experienced enough I'd encourage you to use them. It can be complicated for a newbie, but if you know your way around FreeBSD and the command line, you should really use jails. Jorn. What if an exploit is found, then root should have the greatest chance to break out of the jail, or not? Should it be possible to assign root another UID in a jail (this is pretty unlikely I think), so IF it breaks out it will find hisself working as a user at the host system :-P ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Jail security
On Mon, 07 Mar 2005 17:04:41 +0100, Frank de Bot wrote > Hi, > > I've set up a jail. But I don't have any idea how safe a jail is. > Often is told chroot and jails can be escaped. How safe is it to > give other people user access to a jailed environment? or maybe even > root... A jailed process cannot leave its jail. Unless some exploit is being found in jail itself, but that's rather unlikely. A cracker can only mess up your jail and not your entire host. So if you build 4 jails for Apache, MySQL, Squid and Postfix for instance, each of those processes will only run in its jail and cannot interact with another jail or the host. Which is more secure then just putting everything on your host. Another major advantage of jails is that you can experiment at will without touching your production enviroment. Just create a jail and install apache in the other jail. Once you are finished and it works, just amend your firewall settings and you're ready to go. If you're experienced enough I'd encourage you to use them. It can be complicated for a newbie, but if you know your way around FreeBSD and the command line, you should really use jails. Jorn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
