download

System Configuration—JailsThis helps to limit the scope of file system of the process. The process cannot accessfiles and directories outside the chrooted environment and consequently keeps theother parts of the system safe from potential security compromises. However, whenit was introduced, several security vulnerabilities were found (and fixed) that wouldlet an attacker escape from the chrooted environment and get access to the hostfile system. While chroot(8) only limits the scope of the file system visibility, theprocesses will still pretty much share everything else in the operating environment.IntroductionJails were introduced with several security and functionality improvements overthe traditional chroot. While chroot was used to limit the scope of the file system forprocesses, jail is used to develop more complex virtualization scenarios, includingrunning an almost full operating system inside a jail. This type of jail is commonlyreferred to as the Virtual Server. You can set up multiple jails on a host system (theactual operating system you installed on the physical hardware) that runs multiple,complete, FreeBSD systems running different software.A virtual server is used when you want to test a new software or service in a testenvironment, without actually engaging the physical hardware. Another scenariois to set up jails for other people who want to have root access to the system. Givingroot access of a jail, gives super-user power to users, without giving them full accessto the host system. For example, different web hosting companies create jails andvirtual dedicated servers, and give full access of the jails to their customers.Each jail has its own files, processes, and users (including its own root user).However, there are also certain limitations in using jails. For example, they preventyou from doing low-level system operations. These are discussed later in this chapter.There is another type of jail, called the Service Jail. A service jail does not have allthe components of the operating system (including all the libraries, manuals, andconfigurations). Rather, it contains only the required components that are neededto run a specific service such as a web server. However, if you want to run only oneor two services in a jail environment, then service jails are much smaller in size andoffer more security.Jails are lightweight, have low overheads, and are easy to deploy and manage. Asystem administrator may have several jails running on a single host system withminimum headache, offering different network services, which is similar to runningmultiple physical servers.Jails do not offer complete virtualization which the VMWare or other virtualizationsoftware do. There are several limitations in jails that would be discussed later inthis chapter.[ 76 ]