"Frank" == Frank Knobbe <[EMAIL PROTECTED]> writes:
Frank> If you nullfs these directories, you loose the ability to Frank> prune the jail. Pruning is part of system hardening. I'd
May be it's better to use unionfs, so anybody can replace binaries with their stub version pre jail.
This might be a very stupid idea but how about a jailfs. Now I don't know all that much about filesystem design so bear with me. How about something like this:
# ls /usr/jail fulljail smalljail fulljail.conf smalljail.conf # cd /usr/jail/fulljail # ls dev etc home # cat ../fulljail.conf allow-all read-only
ignore
/dev
/etc
/usr/homeallow read-write
/usr/ports/distfiles# cd ../smalljail # ls # cat ../smalljail.conf ignore-all
allow read-only
/bin
/usr/binallow read-write
/usr/home# cd /usr/jail
# jail /usr/jail/fulljail fulljail 127.0.0.1 /bin/sh /etc/rc
# jexec 1 ls
COPYRIGHT boot compat dist etc lib mnt rescue sbin sys usr bin cdrom dev entropy home libexec proc root stand tmp var
# jail /usr/jail/smalljail smalljail 127.0.0.1 /bin/sh /home/myhome/specialtask.sh
# jexec 2 ls
bin usr home
#
SO the jail filesystem is configured at jail-creation time and uses the hosts files or jail files depending on the configuration. Might have to pass the config file into the jail command.
As I said I am not an expert. Mabye one of the experts could let me know what they think?
Chris _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
