Re: bsdjail questions

From: Erno Kuusela (erno@private)
Date: Thu Jan 13 2005 - 15:26:44 PST


[full quote for benefit of list]

hello,

On Thu, 13 Jan 2005, Serge E. Hallyn wrote:

| Hi,
| 
| > thanks for writing the bsdjail module, it looks very useful indeed.
| 
| Glad you like it!
| 
| > some questions came to mind,
| > 
| > 1) in a chroot you need devpts mounted to have a functioning environment.
| > can root inside the jail eavesdrop on pseudoterminals if i do this?
| 
| Eavesdropping doesn't seem to work, but I tested after reading your msg,
| and I can definately "echo ab > /dev/pts/0" from a jail.
| 
| I will need to look into how to fix this.  Thanks for pointing it out.

cool.

| > 2) in the documentation example, you set up a whole separate filesystem
| > for use inside the jail. is there a security reason for this, outside
| > of the obvious one of limiting disk space use of the jail?
| 
| Yes, because this way evil or subverted processes inside a jail can only
| write in their own filesystem.  If/when read-only bind mounts work, then
| you'll be able to share, for instance, /usr and /etc read-only in the jail,
| create a fresh tmpfs for /tmp, and use a loopback fs for /home or
| /var/www, for instance.
| 
| Mostly, using a separate fs makes for the simplest and shortest examples in
| the documentation :)

read-only bind mounts sound good.

my feeble mind can not really divine from the above if/why using a
per-jail private subdirectory on an existing filesystem would be bad...?

between sending the mail and receiving your reply, i actually tried
setting up a jail in a directory on my root fs, and discovered,
from pivot_root manual page:
   EBUSY
           new_root or put_old are on the current root file system, or a file
           system is already mounted on put_old.

but i guess it would work on a non-root fs.

| > 3) is there a mailing list for discussing this stuff? :)
| 
| Only the LSM mailing list.  Info for that is at lsm.immunix.org.  It was
| pretty dead for awhile, but has become more active again recently.

cc'd. 

  -- erno



This archive was generated by hypermail 2.1.3 : Thu Jan 13 2005 - 16:42:21 PST