Since some of you use the jailutils package, I just wanted to post some
additional info on the recent 'security fix' and also highlight a
possible issue with the 'jail' command.
It's not a very big issue (unless I'm missing something), simply one of
leaking the host environment into the jail.
This might be used legitimately in certain cases, but in most cases it's
probably a good idea to clear out the environment before executing the
jail() or jail_attach() syscalls.
The 'jstart' utility included in jailutils does this and it would
probably be a good addition to 'jexec' and/or 'jail'.
Re: unprivileged users are able to kill certain jailed processes ... Furthermore they are able to send signals to these processes. ... In attempt to enforce stronger isolation between the host and the jail, you will run into other, more significant problems. ... Since the host environment is typically rooted at the "real" root, and guest environments are typically chrooted to specific subtrees, containment is enforced. ... However, file system access control isn't aware of jails, so a uid in the host environment still "owns" files that appear in the chrooted name spaces. ... (freebsd-current)
Re: unprivileged users are able to kill certain jailed processes ... Furthermore they are able to send signals to these processes. ... In attempt to enforce stronger isolation between the host and the jail, you will run into other, more significant problems. ... Since the host environment is typically rooted at the "real" root, and guest environments are typically chrooted to specific subtrees, containment is enforced. ... However, file system access control isn't aware of jails, so a uid in the host environment still "owns" files that appear in the chrooted name spaces. ... (freebsd-current)
Do I need JAIL on my home server? ... I have a home server,... What I am trying to determine is the number of jails to use, what set of services to run in each jail, and mainly if using jail is worth at under my circumstances. ... My basic idea so far is to run the firewall, NAT, and PPPoE in the host environment, and use port forwarding to private IPs assigned to each jail. ... (comp.unix.bsd.freebsd.misc)
jail issue ... I run a PGP key server inside of a jail.... packets as the host environment. ... The IP configured in the jail (output of ifconfig) shows the proper IP ... (freebsd-stable)
Re: jail issue ... > packets as the host environment (not as the jail environment).... Could you show the output of sockstat as run in the host environment?... I'd like to see what the socket is bound ... (freebsd-stable)
