Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD Jails

Posted by michael on from the prison-time dept.

BSD Forums writes "A common security breach involves exploiting one application to gain access to another. Keeping separate applications separate can limit the potential damage. OnLamp's Mike DeGraw-Bertsch explains how FreeBSD's jails can help secure necessary applications."

6 of 70 comments (clear)

  1. sandbox by Hard_Code · · Score: 4, Interesting

    Instead of this adhoc-ish system, wouldn't a better solution be to have a "correct" sandbox in which a policy can be attached to ANY process, which determined what kernel calls can be made, and potentially with what parameters? Then there is no need for wacky interface aliasing and stuff like that.

    --

    It's 10 PM. Do you know if you're un-American?
    1. Re:sandbox by ctr2sprt · · Score: 4, Informative
      No, not really. The problem with all these fine-grained access controls is that they are painfully difficult to use. Unix admins get worked up about the complexity introduced by simple POSIX filesystem ACLs, how do you think they'll be able to tolerate having per-process syscall control? It would just never get used. Incidentally, they are patches which allow exactly the functionality you describe. And nobody uses them except for people with a really exceptional need for security.

      Jails have other uses too, by the way. Website hosting is one such example. You can set up jails for each person using the machine, and then he gets his own root login. He can modify Apache config files himself and do any other configuration stuff, but he can't break out of the jail to interfere with other users. There are actually providers out there that do this, though I don't know any of them by name.

  2. Jails addons by rf0 · · Score: 4, Informative

    For some fun jail patches have a look at garage.freebsd.pl

    Rus

    --
    Cheap UK and US VPS
  3. Re:bind? by m0rten · · Score: 4, Interesting
    And better alternatives exist - like qmail and djbdns. Is there any reason to run those pieces of shit besides legacy config files?

    To quote the Makefile for /usr/ports/mail/qmail:

    NO_PACKAGE= djb's packaging license does not allow non-standard qmail binary distributions

    I would guess this is a big showstopper for using qmail in the FreeBSD basesystem. However, I think it was recently added some glue to sysinstall to let you choose MTA during install.

  4. Re:bind? by xA40D · · Score: 4, Interesting

    And better alternatives exist

    In your opinion. Personally I dislike sendmail, but love BIND (just don't run it as root). But then I dislike qmail as much as sendmail, and djbdns strikes me as mildly braindamaged - so I'd hate to see them installed by default.

    An ideal system would have the entire OS as packages... then all you need to do in to install your favourites....

    --
    Do you mind, your karma has just run over my dogma.
  5. My jailadmin stuff... by Just+Some+Guy · · Score: 4, Informative
    I wrote (in Perl) a set of jail management scripts. They're available at SubWiki:Freebsd/JailAdmin.

    The main feature is a configuration that lets you act on jails by name. For instance:

    jailadmin start web3 news7 shell1 shell2
    will start those jails, and
    jailadmin stop shell4
    will stop that instance. Basically, I wanted to make a system that was convenient for people with large numbers of jails on one machine, but easy enough for everyone.

    Included are an rc.d script for starting/stopping a set of jails at boot/shutdown, and an snmpd plugin for remote monitoring.

    --
    Dewey, what part of this looks like authorities should be involved?