Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
BSD Operating Systems

FreeBSD Jails 70

BSD Forums writes "A common security breach involves exploiting one application to gain access to another. Keeping separate applications separate can limit the potential damage. OnLamp's Mike DeGraw-Bertsch explains how FreeBSD's jails can help secure necessary applications."
This discussion has been archived. No new comments can be posted.

FreeBSD Jails

Comments Filter:
  • sandbox (Score:5, Interesting)

    by Hard_Code ( 49548 ) on Friday September 05, 2003 @11:00AM (#6879640)
    Instead of this adhoc-ish system, wouldn't a better solution be to have a "correct" sandbox in which a policy can be attached to ANY process, which determined what kernel calls can be made, and potentially with what parameters? Then there is no need for wacky interface aliasing and stuff like that.
    • Re:sandbox (Score:5, Informative)

      by ctr2sprt ( 574731 ) on Friday September 05, 2003 @03:25PM (#6882051)
      No, not really. The problem with all these fine-grained access controls is that they are painfully difficult to use. Unix admins get worked up about the complexity introduced by simple POSIX filesystem ACLs, how do you think they'll be able to tolerate having per-process syscall control? It would just never get used. Incidentally, they are patches which allow exactly the functionality you describe. And nobody uses them except for people with a really exceptional need for security.

      Jails have other uses too, by the way. Website hosting is one such example. You can set up jails for each person using the machine, and then he gets his own root login. He can modify Apache config files himself and do any other configuration stuff, but he can't break out of the jail to interfere with other users. There are actually providers out there that do this, though I don't know any of them by name.

      • Re:sandbox (Score:3, Informative)

        by delfstrom ( 205488 )
        There are actually providers out there that do this, though I don't know any of them by name
        JohnCompanies [johncompanies.com] is one such host that uses FreeBSD jails to give you your own root and ports tree.
    • You mean like systrace?
    • Sandbox, that's exactly what I was gonna say. Why the idea of the sandbox never caught on earlier I'll never know. I don't know if the concept had been introduced at the time but while emulating a Wintel machine on an Amiga(anyone remember those?:) the idea hit me that "memory management" could be easily implemented by setting memory limits, etc. per process as the emulator was doing for the PC processes.
  • Jails addons (Score:5, Informative)

    by rf0 ( 159958 ) <rghf@fsck.me.uk> on Friday September 05, 2003 @12:11PM (#6880299) Homepage
    For some fun jail patches have a look at garage.freebsd.pl [freebsd.pl]

  • nore on jails (Score:3, Informative)

    by nerdsv650 ( 175205 ) <nerdsdNO@SPAMnerdy1.com> on Friday September 05, 2003 @03:52PM (#6882343) Homepage
    Nice intro. I've been running jails on FreeBSD for some time now, here are some additional notes I put together some time back.


    Hope this helps someone.

  • by F2F ( 11474 ) on Friday September 05, 2003 @05:14PM (#6883082)
    we have them in Plan 9. and they've been there for the past 14 years -- each user, each process, each device exists in its own namespace and views the system differently.

    my / != your /

    after years and years of trying [lanl.gov] maybe it's time you guys really do something about it -- jails are a temporary solution, and not a very good one at that.

    you need full private namespaces for the same reason you need local variables in your programs -- it's just too nasty otherwise.
    • by cperciva ( 102828 ) on Friday September 05, 2003 @07:38PM (#6884273) Homepage
      DragonFlyBSD is supposed to be getting something like this; each process only sees its own version of shared libraries.
    • Sounds like User Mode Linux [sourceforge.net]:

      User-Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions, and poke around in the internals of Linux, all without risking your main Linux setup.

      User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical m

  • by Anonymous Coward
    FreeBSD's jails are a very cool security feature in my mind. Does Linux offer something similar?
    • Does Linux offer something similar [to chroot jails]?

      Linux has a chroot jail [linux-mag.com].

      SCO has the other kind of jail too, unless you pay $699 to Darl McBribe [sic].

    • In addition to chroot, Linux also offers User mode Linux [sourceforge.net] which is like a supermaximum security jail call. Or, you can go to MAC/RBAC systems such as grsecurity [grsecurity].
      • by Anonymous Coward
        Actually, UML is not a supermaximum, it may be considered a supermaximum chroot, but in fact, it's much worse than the FreeBSD jail functionality.

        1. For each UML you have another kernel stealing memory, FreeBSD just uses one kernel.

        2. UML uses loopback on fs, which is really really slow, it also means that if you have multilevel "jails" you soon get practically zero performance; with FreeBSD this does not happen.

        In all fairness, UML is great if you want to test your programs for a multitude of different
        • Both (1) and (2) are the price for a higher level of security of the system overall comparing to FreeBSD's jail.

          However, when you don't need THAT level of isolation I would conside Plan-9's private namespaces, whose fine-grained control is far more superior to jail.

  • by holzp ( 87423 )
    With the RIAA and SCO stories I was starting to think one of them was about to go after FreeBSD users!
  • by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Saturday September 06, 2003 @09:59AM (#6886937) Homepage Journal
    I wrote (in Perl) a set of jail management scripts. They're available at SubWiki:Freebsd/JailAdmin [honeypot.net].

    The main feature is a configuration that lets you act on jails by name. For instance:

    jailadmin start web3 news7 shell1 shell2
    will start those jails, and
    jailadmin stop shell4
    will stop that instance. Basically, I wanted to make a system that was convenient for people with large numbers of jails on one machine, but easy enough for everyone.

    Included are an rc.d script for starting/stopping a set of jails at boot/shutdown, and an snmpd plugin for remote monitoring.


"I will make no bargains with terrorist hardware." -- Peter da Silva