A common security breach involves exploiting one application to gain access to another. Keeping separate applications separate can limit the potential damage. Mike DeGraw-Bertsch explains how FreeBSD’s jails can help secure necessary applications. On other FreeBSD news, a specific schedule for the release of FreeBSD 4.9 is now available.
But what I really can’t wait for is FreeBSD 5.2 to be released.
what’s the difference between freebsd’s jail and the linux chroot i’m familiar with.
a quick review of the article gave me the impression that itsn ot as flexible as chroot (why recompile, make world, make distribution) … and why reboot?
grateful for enlightenment
Chroot only stops a process from reading above its set root directory. Jail seems to make not just the process in the jail but also all the other things it needs to run such as GCC, perl etc.
Chroot restricts only access to the filesystem. Jail creates an isolated group of processes with restricted filesystem, process table and network access. Think of it as somewhere between a chroot and a virtual machine. It is not a virtual machine, because there is not a separate kernel for the processes running in the jail, but in other ways it is similar.
A jailed process only sees other processes within the same jail, it does not see other processes on the machine (e.g. using ps). Even a process with ‘root’ privileges that exists within a jail has limited powers. It cannot create new device nodes. All IP activity is forced to be associated with a particular IP address, which cannot be changed from within the jail. Processes cannot send signals to processes outside the jail.
A jail might contain just one or two processes, or an entire BSD distribution, including all user programs.
For more info see this paper: http://docs.freebsd.org/44doc/papers/jail/jail.html
thanks for the good replies – now i know for future use
so would it be like UML? or could you use UML for the same purposes? where UML = user mode linux