<<O>>  Difference Topic JailEnvironment (r1.3 - 07 Jan 2003 - KirkStrauser)
META TOPICPARENT JailAdmin
In FreeBSD, a JailEnvironment is similar to a ChRoot? restriction, except that it adds extra limits to the processes running under it:
Line: 6 to 6
  • Processes within the jail cannot "see" process that are not inside it.
  • Various syscalls, such as mknod, are disallowed
Changed:
<
<		 It's quite possible to establish many JailEnvironments within one running system. For example, you could have a webserver, a mailserver, and a DNS server operating within completely isolated environments. If one of those systems is compromised, the system administrator can shut down that environment without disturbing the others.
>
>		 It's quite possible to establish many JailEnvironments within one running system. For example, you could have a webserver, a mailserver, and a NameServer operating within completely isolated environments. If one of those systems is compromised, the system administrator can shut down that environment without disturbing the others.

It's not terribly difficult to BuildAndUpdateJails once you've done it once or twice. There is a somewhat high-level administration tool, JailAdmin, to assist in the day-to-day operation and monitoring of a server's JailEnvironments.

Line: 14 to 14

META FORM ClassForm  
META FIELD TopicClassification TopicClassification SystemSecurity
Changed:
<
<
META FIELD OsVersion OsVersion 4.x, CURRENT
>
>
META FIELD OsVersion OsVersion 4.x, 5.x, CURRENT

META TOPICMOVED KirkStrauser? date="1031881653" from="Freebsd.JailEnvironments" to="Freebsd.JailEnvironment"
 <<O>>  Difference Topic JailEnvironment (r1.2 - 13 Sep 2002 - KirkStrauser)
META TOPICPARENT JailAdmin
In FreeBSD, a JailEnvironment is similar to a ChRoot? restriction, except that it adds extra limits to the processes running under it:
Line: 9 to 9

 It's quite possible to establish many JailEnvironments within one running system. For example, you could have a webserver, a mailserver, and a DNS server operating within completely isolated environments. If one of those systems is compromised, the system administrator can shut down that environment without disturbing the others.

It's not terribly difficult to BuildAndUpdateJails once you've done it once or twice. There is a somewhat high-level administration tool, JailAdmin, to assist in the day-to-day operation and monitoring of a server's JailEnvironments.

Added:
>
>

-- KirkStrauser - 12 Sep 2002


META FORM ClassForm  
META FIELD TopicClassification TopicClassification SystemSecurity
META FIELD OsVersion OsVersion 4.x, CURRENT
Added:
>
>
META TOPICMOVED KirkStrauser? date="1031881653" from="Freebsd.JailEnvironments" to="Freebsd.JailEnvironment"
 <<O>>  Difference Topic JailEnvironment (r1.1 - 13 Sep 2002 - TWikiGuest)
Line: 1 to 1
Added:
>
>
META TOPICPARENT JailAdmin
In FreeBSD, a JailEnvironment is similar to a ChRoot? restriction, except that it adds extra limits to the processes running under it:

  • All networking code is limited to listening to or connecting from the IP address specified when starting the jail.
  • Processes within the jail cannot "see" process that are not inside it.
  • Various syscalls, such as mknod, are disallowed

It's quite possible to establish many JailEnvironments within one running system. For example, you could have a webserver, a mailserver, and a DNS server operating within completely isolated environments. If one of those systems is compromised, the system administrator can shut down that environment without disturbing the others.

It's not terribly difficult to BuildAndUpdateJails once you've done it once or twice. There is a somewhat high-level administration tool, JailAdmin, to assist in the day-to-day operation and monitoring of a server's JailEnvironments.

META FORM ClassForm  
META FIELD TopicClassification TopicClassification SystemSecurity
META FIELD OsVersion OsVersion 4.x, CURRENT
View topic | Diffs | r1.3 | > | r1.2 | > | r1.1 | More
Revision r1.1 - 13 Sep 2002 - 01:38 - TWikiGuest
Revision r1.3 - 07 Jan 2003 - 15:12 - KirkStrauser