How dangerous is it to share the ports directory with jails on the system? I am using the jails to give other access to a freebsd system. You can assume they are untrusted (hence the jail ;)).
Is it enough just to: ln -s /usr/ports /usr/jail/ajail/usr/ports
That won't work. The jail does a chroot (along with other things) when it starts up so the link inside the jail will wind up pointing to itself.
Doh! :)
The only way I've been able to figure out how to do something like that is by running an NFS server outside the jail and then run an NFS client inside the jail to get access to the disk space outside the jail via NFS. I actually have a separate jail for the NFS server and export everything read-only.
Interesting idea.
Now, I'm sure you've thought of this but I'm going to say it for anyone reading the archives. You do know that giving the jailed processes access to anything outside the jail will reduce the security advantages of having a jail in the first place?
Well I wasn't sure about this...hence the question.
Besides, why would you provide a jailed process with access to development tools? You are just making it much easier for anyone with access to the jail to build/install software to help them break out of the jail.
Thanks Chris
Ok perhaps I should clarify what my intentions are a little more. I am planning on providing a FreeBSD jail for any member of a geek society I am a member of. When I say they are untrusted, I mean that I won't be giving them full root access to my server but I trust them enough not to do anything malicious inside a jail. It is just like a fun place they can play and not have to worry to much about breaking things.
How easy is it exactly to break out of a jail if you have access to development tools?
Chris _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
