What to put in devfs for a typical jail
Alexander Leidinger
Alexander at Leidinger.net
Mon Jul 30 06:18:15 UTC 2007
Quoting Paul Hoffman <phoffman at proper.com> (from Sun, 29 Jul 2007
11:57:45 -0700):
> Greetings. I want to set up a jail for a web server. It only needs to
> access the things a normal system would (its own disk space, the
> network controller, the keyboard, and so on). I need to be SSHing into
> the jailed system to control it.
>
> The manpage for jail says:
> NOTE: It is important that only appropriate device nodes in devfs be
> exposed to a jail; access to disk devices in the jail may permit pro-
> cesses in the jail to bypass the jail sandboxing by modifying files out-
> side of the jail. See devfs(8) for information on how to use
> devfs rules
> to limit access to entries in the per-jail devfs.
>
>
> What should I do for /etc/devfs.rules on the host? What should I be
> excluding?
Additionally to what you already got as a response: I doubt you need
access to the keyboard in the jail. Access to the keyboeard makes only
sense if you also have a way to give access to a display. X.org will
not run in a jail without a kernel patch, and I haven't tested if you
can give access to a virtual console in a jail (if I listen to my
belly, I have my doubts that it is possible without some patches).
Some predefined rules for devfs are in /etc/defaults/devfs.rules.
Bye,
Alexander.
--
The best you get is an even break.
-- Franklin Adams
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-jail
mailing list