FreeBSD Jails

BSD Forums writes "A common security breach involves exploiting one application to gain access to another. Keeping separate applications separate can limit the potential damage. OnLamp's Mike DeGraw-Bertsch explains how FreeBSD's jails can help secure necessary applications."

sandbox

[Hard_Code]

Instead of this adhoc-ish system, wouldn't a better solution be to have a "correct" sandbox in which a policy can be attached to ANY process, which determined what kernel calls can be made, and potentially with what parameters? Then there is no need for wacky interface aliasing and stuff like that.

Re:bind?

[m0rten]

And better alternatives exist - like qmail and djbdns. Is there any reason to run those pieces of shit besides legacy config files?

To quote the Makefile for /usr/ports/mail/qmail:

NO_PACKAGE= djb's packaging license does not allow non-standard qmail binary distributions

I would guess this is a big showstopper for using qmail in the FreeBSD basesystem. However, I think it was recently added some glue to sysinstall to let you choose MTA during install.

Re:bind?

[xA40D]

And better alternatives exist

In your opinion. Personally I dislike sendmail, but love BIND (just don't run it as root). But then I dislike qmail as much as sendmail, and djbdns strikes me as mildly braindamaged - so I'd hate to see them installed by default.

An ideal system would have the entire OS as packages... then all you need to do in to install your favourites....

Does Linux offer something like this?

FreeBSD's jails are a very cool security feature in my mind. Does Linux offer something similar?