Does anyone have warnings / experience with how Jail will behave
when used with a single IP address, as "chroot++"?
What I'm really looking for is something that's a
hybrid between chroot and jail; my machines have only a single IP address,
but I'd like the benefit of a real Jail environment, that people can access
through an sshd started on a different port from within the jail.

It seems to have the dangers one would expect - root inside the jail can bind
TCP ports that take over those from the external jail environment (highly
bummer), but these can likely be fixed with a little bit of hackery,
or very easily by denying binding to ports < 1024 from the jail environment..
are there any other caveats of which I should be aware before heading down
this road? Or has anyone else done this before and has lots of good advice?

TIA,

   -Dave

-- 
work: dgalcs.mit.edu                          me:  dgapobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]