Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD Jails

Posted by michael on from the prison-time dept.

BSD Forums writes "A common security breach involves exploiting one application to gain access to another. Keeping separate applications separate can limit the potential damage. OnLamp's Mike DeGraw-Bertsch explains how FreeBSD's jails can help secure necessary applications."

70 comments

  1. sandbox by Hard_Code · · Score: 4, Interesting

    Instead of this adhoc-ish system, wouldn't a better solution be to have a "correct" sandbox in which a policy can be attached to ANY process, which determined what kernel calls can be made, and potentially with what parameters? Then there is no need for wacky interface aliasing and stuff like that.

    --

    It's 10 PM. Do you know if you're un-American?
    1. Re:sandbox by Anonymous Coward · · Score: 0

      how good is that? I mean, open and write could be used to add another entry to the /etc/passwd file, but many applications have legitimate reasons to write to disk. Maybe a better answer is to write better code to begin with.

    2. Re:sandbox by Anonymous Coward · · Score: 0

      There's CerbNG

    3. Re:sandbox by ctr2sprt · · Score: 4, Informative
      No, not really. The problem with all these fine-grained access controls is that they are painfully difficult to use. Unix admins get worked up about the complexity introduced by simple POSIX filesystem ACLs, how do you think they'll be able to tolerate having per-process syscall control? It would just never get used. Incidentally, they are patches which allow exactly the functionality you describe. And nobody uses them except for people with a really exceptional need for security.

      Jails have other uses too, by the way. Website hosting is one such example. You can set up jails for each person using the machine, and then he gets his own root login. He can modify Apache config files himself and do any other configuration stuff, but he can't break out of the jail to interfere with other users. There are actually providers out there that do this, though I don't know any of them by name.

    4. Re:sandbox by delfstrom · · Score: 2, Informative
      There are actually providers out there that do this, though I don't know any of them by name
      JohnCompanies is one such host that uses FreeBSD jails to give you your own root and ports tree.
    5. Re:sandbox by Nothinman · · Score: 1

      You mean like systrace?

    6. Re:sandbox by ehrichweiss · · Score: 1

      Sandbox, that's exactly what I was gonna say. Why the idea of the sandbox never caught on earlier I'll never know. I don't know if the concept had been introduced at the time but while emulating a Wintel machine on an Amiga(anyone remember those?:) the idea hit me that "memory management" could be easily implemented by setting memory limits, etc. per process as the emulator was doing for the PC processes.

      --
      0x09F911029D74E35BD84156C5635688C0
  2. bind? by Anonymous Coward · · Score: 0
    why do the various freebsds (and linux distros) ship with bind and sendmail for dns/smtp?


    Let's be honest - those 2 pieces of software are responsible for more root exploits (remote and local) than anything else.


    And better alternatives exist - like qmail and djbdns. Is there any reason to run those pieces of shit besides legacy config files?

    1. Re:bind? by Anonymous Coward · · Score: 0

      And better alternatives exist - like qmail and djbdns.

      And when they have all the features of sendmail 8.12.9 and bind 9.2.2 than they are an alternative.

      Until then, qmail/djbdns is not an alternative.

    2. Re:bind? by m0rten · · Score: 4, Interesting
      And better alternatives exist - like qmail and djbdns. Is there any reason to run those pieces of shit besides legacy config files?

      To quote the Makefile for /usr/ports/mail/qmail:

      NO_PACKAGE= djb's packaging license does not allow non-standard qmail binary distributions

      I would guess this is a big showstopper for using qmail in the FreeBSD basesystem. However, I think it was recently added some glue to sysinstall to let you choose MTA during install.

    3. Re:bind? by xA40D · · Score: 4, Interesting

      And better alternatives exist

      In your opinion. Personally I dislike sendmail, but love BIND (just don't run it as root). But then I dislike qmail as much as sendmail, and djbdns strikes me as mildly braindamaged - so I'd hate to see them installed by default.

      An ideal system would have the entire OS as packages... then all you need to do in to install your favourites....

      --
      Do you mind, your karma has just run over my dogma.
    4. Re:bind? by sirket · · Score: 1

      djbdns strikes me as mildly braindamaged

      "mildly braindamaged"?!?! djbdns is a case of full on dementia. qmail is equally brain damaged. The log files are downright useless (in my opinion) and the configuration makes me want to shoot myself.

      Exim and Postfix are so superior to qmail in terms of manageability that it is embarrassing to qmail.

      But then again these are just my opinions.

      -sirket

    5. Re:bind? by cperciva · · Score: 1

      The log files are extremely useful. They're just not designed for human processing. Similarly, the configuration files aren't very human-friendly, but they are very easy to manipulate via scripts.

      Anyway, if qmail's configuration makes you want to shoot yourself... what does *Sendmail's* configuration do?

      --
      Tarsnap: Online backups for the truly paranoid
    6. Re:bind? by yerricde · · Score: 1

      What, specifically, can Sendmail do that Postfix cannot?

      --
      Will I retire or break 10K?
    7. Re:bind? by Anonymous Coward · · Score: 0
      Sendmail can give me remote root access.


      J. Scriptkiddy

    8. Re:bind? by ericesposito · · Score: 1, Funny

      Allow script kiddies to root your box.

    9. Re:bind? by rsax · · Score: 1
      An ideal system would have the entire OS as packages... then all you need to do in to install your favourites....

      Hey sort of like these operating systems ;)

    10. Re:bind? by Anonymous Coward · · Score: 0

      postfix can do that too, it just takes a lot more effort, and a brain dead configuration.

    11. Re:bind? by sirket · · Score: 1

      Anyway, if qmail's configuration makes you want to shoot yourself... what does *Sendmail's* configuration do?

      It doesn't do anything to me... I refuse to use it :)

      -sirket

    12. Re:bind? by Anonymous Coward · · Score: 0

      How about ships with a software licence that is smaller and eaiser to understand, not to mention doesn't void over patents?

      At least neither one is GPLed.

    13. Re:bind? by caulfield · · Score: 1

      i've always liked maradns since it's not "braindamaged" like djbdns, but it does priviledge separation to run in a jail.

  3. Jails addons by rf0 · · Score: 4, Informative

    For some fun jail patches have a look at garage.freebsd.pl

    Rus

    --
    Cheap UK and US VPS
  4. systrace by bikepunk · · Score: 2, Informative

    check out OpenBSD's systrace:
    http://www.citi.umich.edu/u/provos/systrace/
    http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html

    1. Re:systrace by cant_get_a_good_nick · · Score: 1

      Not to start a TdR flamewar, but wasn't systrace targetted for OpenBSD, they got in a snit with TdR so first got put into NetBSD?

  5. nore on jails by nerdsv650 · · Score: 3, Informative

    Nice intro. I've been running jails on FreeBSD for some time now, here are some additional notes I put together some time back.

    http://www.xyz.com/notes/jailnotes.html

    Hope this helps someone.

    -michael

    1. Re:nore on jails by Anonymous Coward · · Score: 0

      xyz.com.. nice :)

  6. Re:Fucking Trolls by Anonymous Coward · · Score: 0

    When you to be taking grammar lessions?

  7. pity they can't have private namespaces by F2F · · Score: 3, Informative

    we have them in Plan 9. and they've been there for the past 14 years -- each user, each process, each device exists in its own namespace and views the system differently.

    my / != your /

    after years and years of trying maybe it's time you guys really do something about it -- jails are a temporary solution, and not a very good one at that.

    you need full private namespaces for the same reason you need local variables in your programs -- it's just too nasty otherwise.

    1. Re:pity they can't have private namespaces by cperciva · · Score: 3, Informative

      DragonFlyBSD is supposed to be getting something like this; each process only sees its own version of shared libraries.

      --
      Tarsnap: Online backups for the truly paranoid
  8. Does Linux offer something like this? by Anonymous Coward · · Score: 1, Interesting

    FreeBSD's jails are a very cool security feature in my mind. Does Linux offer something similar?

    1. Re:Does Linux offer something like this? by ocelotbob · · Score: 1

      In addition to chroot, Linux also offers User mode Linux which is like a supermaximum security jail call. Or, you can go to MAC/RBAC systems such as grsecurity.

      --

      Marxism is the opiate of dumbasses

    2. Re:Does Linux offer something like this? by Anonymous Coward · · Score: 3, Informative

      Actually, UML is not a supermaximum, it may be considered a supermaximum chroot, but in fact, it's much worse than the FreeBSD jail functionality.

      1. For each UML you have another kernel stealing memory, FreeBSD just uses one kernel.

      2. UML uses loopback on fs, which is really really slow, it also means that if you have multilevel "jails" you soon get practically zero performance; with FreeBSD this does not happen.

      In all fairness, UML is great if you want to test your programs for a multitude of different kernels on the same machine, but for everything else the FreeBSD jail is superior.

      So in the end, if you play with kernels the UML is really great and FreeBSD *should* consider offer something similar. For real world use jail is the thing.

    3. Re:Does Linux offer something like this? by axxackall · · Score: 1
      Both (1) and (2) are the price for a higher level of security of the system overall comparing to FreeBSD's jail.

      However, when you don't need THAT level of isolation I would conside Plan-9's private namespaces, whose fine-grained control is far more superior to jail.

      --

      Less is more !
    4. Re:Does Linux offer something like this? by Anonymous Coward · · Score: 0

      UML does _NOT_ offer any more security than jail, you can break out of a jail if there is a kernel exploit, but so you can with UML too, so it's a moot point.

      Yes, namespaces are dandy, and the BSD's will get then in about 1 year from now as it is being worked on.

  9. whew! by holzp · · Score: 1

    With the RIAA and SCO stories I was starting to think one of them was about to go after FreeBSD users!

  10. Go directly to jail. by yerricde · · Score: 2, Funny

    Does Linux offer something similar [to chroot jails]?

    Linux has a chroot jail.

    SCO has the other kind of jail too, unless you pay $699 to Darl McBribe [sic].

    --
    Will I retire or break 10K?
    1. Re:Go directly to jail. by Istealmymusic · · Score: 1

      Woohoo. A chroot "jail". How innovative. Linux is really keeping up with the times.

      --
      "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  11. My jailadmin stuff... by Just+Some+Guy · · Score: 4, Informative
    I wrote (in Perl) a set of jail management scripts. They're available at SubWiki:Freebsd/JailAdmin.

    The main feature is a configuration that lets you act on jails by name. For instance:

    jailadmin start web3 news7 shell1 shell2
    will start those jails, and
    jailadmin stop shell4
    will stop that instance. Basically, I wanted to make a system that was convenient for people with large numbers of jails on one machine, but easy enough for everyone.

    Included are an rc.d script for starting/stopping a set of jails at boot/shutdown, and an snmpd plugin for remote monitoring.

    --
    Dewey, what part of this looks like authorities should be involved?
  12. Re:Fucking Trolls by Anonymous Coward · · Score: 0

    lessions?
    methinks the grandfather poster is a native german speaker who translated word for word. Of course I could be wrong - he could be dutch or flemish.

  13. User Mode Linux by axxackall · · Score: 1
    Sounds like User Mode Linux:

    User-Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions, and poke around in the internals of Linux, all without risking your main Linux setup.

    User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software.

    --

    Less is more !
  14. I wasn't put in jail by Spooge+Knight · · Score: 1

    WHEN I SHOT PAC!

  15. Re:Slow news today? by Anonymous Coward · · Score: 0

    make install DESTDIR=