On Feb 6, 2006, at 1:29 PM, Björn König wrote: > Andre Oppermann schrieb: > >> [...] If you have normal users on the host and >> have jails under the same user id then, yea, tough luck. You're not >> supposed to do that. [...] > > Yes, I can prevent from overlapping UIDs, but how to prevent from > that if host administrator and jail administrator are two > independent parties? It requires much more carefulness and > precautions. Well, the host admin, when detailing services and responsibilities to the jail admin (I have a similar situation), can tell the jail admin which range of UIDs to use for new users. I typically use the last byte of the IP address * 100 as the base. Eg, say a jail is 192.168.1.100 then they can start with 10000 as a UID and go up to 10100. Additionally, the host should ideally have no users but the bare minimum for the admin. All the "host"-based users and services should ideally be in their own jail. And if you can use a common base jail install mounted read only inside each jail, you will greatly increase security of the jails as exploits that replace system binaries will fail. gruss aus utah Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.netReceived on Mon Feb 06 2006 - 20:14:23 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:52 UTC