usingFrom: Joerg Sonnenberger <[EMAIL PROTECTED]> To: freebsd-hackers@freebsd.org Subject: Re: Configuration differences for jails Date: Thu, 21 Apr 2005 13:43:59 +0200
On Thu, Apr 21, 2005 at 07:39:08AM -0400, c0ldbyte wrote:
> Now if that last question is correct and thats the proccess you are
> to create a jail then depending on the situation wouldnt that inturnyou
> defeat some of the main purposes of the jail, like the following. If
> mounted your "/bin" on "/mnt/jail/bin" then if a person that waslooking
> to break in and effect the system that is currently locked in the"jail"
> all he would have to do is just write something to the "jail/bin" whichis
> actualy your root "/bin" and then the next time a binary is used fromyour
> root directories it could still infect the rest of the systemultimately
> defeating the purpose of what you just set up. To my understanding anduse
I am not very familar with mount_nullfs, but i think it is _one_ copy with _multiple_ references(FIXME).So if we modify something in one jail, the same effect will> a jail is somewhat totaly independent of the OS that it resides in and > wont be if you are using nullfs to mount root binary directories on it.
ro mount as written by grant parent protects against this.
also impose on other jails,even the real machine. Due to this problem,
readonly mounts may be a good choice.
BUT if we do some things related to the /etc files, such as passwd, ro mounts can not deal with this situation because different jails need different passwd files for
private users.
So I think this can only be done by making a copy of relevant files but not ro
mounts.
Any idea?
regards Jas
_________________________________________________________________
享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com
_______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
