[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
New to jails and ezjails. Firstly, thanks for a great time saving tool.
Ease of use means more security, which I like.
A couple of suggestions. Forgive me if this has been discussed before,
as it's not possible, AFAICT, to search the ezjail list due to the archive
being on https.
First thing I noticed was the lack of nosuid, noexec options in the
created jails. Most jails can run all fs nosuid, with no problems. This
would be a nice option to provide extra security for those that don't
I think the option of a nullfs mounted /tmp with the relevant security
options would be good. I'm finding myself adding an extra fs to the jail's
fstab to create a more secure /tmp in the jail:
/dev/amrd0s1g on /ezjail (ufs, local, noatime, nosuid, soft-updates, acls)
/ezjail/basejail on /ezjail/web0legacy/basejail (nullfs, local, noatime, nosuid, read-only)
/ezjail/tmp/web0legacy on /ezjail/web0legacy/tmp (nullfs, local, noatime, noexec, nosuid, nosymfollow)
devfs on /ezjail/web0legacy/dev (devfs, local)
/var/tmp is symlinked to /tmp in the jail and clear_tmp_enable="YES"
is in the jails' rc.conf.
It can take a while to discover the necessity of flags such as
nosymfollow. We could save new converts (like me *) the trouble?
Does this sound useful or am I missing something?
Mark Powell - UNIX System Administrator - The University of Salford
Information Services Division, Clifford Whitworth Building,
Salford University, Manchester, M5 4WT, UK.
Tel: +44 161 295 4837 Fax: +44 161 295 5888 www.pgp.com for PGP key