[full quote for benefit of list]
hello,
On Thu, 13 Jan 2005, Serge E. Hallyn wrote:
| Hi,
|
| > thanks for writing the bsdjail module, it looks very useful indeed.
|
| Glad you like it!
|
| > some questions came to mind,
| >
| > 1) in a chroot you need devpts mounted to have a functioning environment.
| > can root inside the jail eavesdrop on pseudoterminals if i do this?
|
| Eavesdropping doesn't seem to work, but I tested after reading your msg,
| and I can definately "echo ab > /dev/pts/0" from a jail.
|
| I will need to look into how to fix this. Thanks for pointing it out.
cool.
| > 2) in the documentation example, you set up a whole separate filesystem
| > for use inside the jail. is there a security reason for this, outside
| > of the obvious one of limiting disk space use of the jail?
|
| Yes, because this way evil or subverted processes inside a jail can only
| write in their own filesystem. If/when read-only bind mounts work, then
| you'll be able to share, for instance, /usr and /etc read-only in the jail,
| create a fresh tmpfs for /tmp, and use a loopback fs for /home or
| /var/www, for instance.
|
| Mostly, using a separate fs makes for the simplest and shortest examples in
| the documentation :)
read-only bind mounts sound good.
my feeble mind can not really divine from the above if/why using a
per-jail private subdirectory on an existing filesystem would be bad...?
between sending the mail and receiving your reply, i actually tried
setting up a jail in a directory on my root fs, and discovered,
from pivot_root manual page:
EBUSY
new_root or put_old are on the current root file system, or a file
system is already mounted on put_old.
but i guess it would work on a non-root fs.
| > 3) is there a mailing list for discussing this stuff? :)
|
| Only the LSM mailing list. Info for that is at lsm.immunix.org. It was
| pretty dead for awhile, but has become more active again recently.
cc'd.
-- erno
This archive was generated by hypermail 2.1.3 : Thu Jan 13 2005 - 16:42:21 PST