On Feb 6, 2006, at 2:24 PM, Julian Elischer wrote: > Chad Leigh -- Shire.Net LLC wrote: > >> >> On Feb 6, 2006, at 1:29 PM, Björn König wrote: >> >>> Andre Oppermann schrieb: >>> >>>> [...] If you have normal users on the host and >>>> have jails under the same user id then, yea, tough luck. You're >>>> not >>>> supposed to do that. [...] >>> >>> >>> Yes, I can prevent from overlapping UIDs, but how to prevent >>> from that if host administrator and jail administrator are two >>> independent parties? It requires much more carefulness and >>> precautions. >> >> >> Well, the host admin, when detailing services and responsibilities >> to the jail admin (I have a similar situation), can tell the jail >> admin which range of UIDs to use for new users. I typically use >> the last byte of the IP address * 100 as the base. >> >> Eg, say a jail is 192.168.1.100 then they can start with 10000 as >> a UID and go up to 10100. >> >> Additionally, the host should ideally have no users but the bare >> minimum for the admin. All the "host"-based users and services >> should ideally be in their own jail. > > > Genrally at Vicor, we had a rule that either all users were in > jails, or none were.. > A Jail server wasn't considered part of the resources available to > users, only the jails themselves. Exactly. Our jail servers have a login account only for those admin personnel who need to admin the server itself. It is ONLY accessible through certificate protected ssh (no passwords allowed) and no services run on the jail server itself, only services in jails, so the only open port on the jail server itself is the sshd one... Best Chad > > >> >> And if you can use a common base jail install mounted read only >> inside each jail, you will greatly increase security of the jails >> as exploits that replace system binaries will fail. >> >> gruss aus utah >> Chad >> >> >> --- >> Chad Leigh -- Shire.Net LLC >> Your Web App and Email hosting provider >> chad at shire.net >> >> >> >> _______________________________________________ >> freebsd-current_at_freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current- >> unsubscribe_at_freebsd.org" > --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.netReceived on Mon Feb 06 2006 - 20:29:00 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:52 UTC