Attachment #161257 for bug #200905

View | Details | Raw Unified | Return to bug 200905
Collapse All | Expand All




    <para>Jails build upon the &man.chroot.2; concept, which is used
      to change the root directory of a set of processes, creating a
      safe environment, separate from the rest of the system.
      Processes created in the chrooted environment cannot access
      files or resources outside of it.  For that reason, compromising
      a service running in a chrooted environment should not allow the
      attacker to compromise the entire system.  However, a chroot has

    <para>To install just the base system, run the next command when
      using &os;&nbsp;9.x or newer:</para>

    <screen>&prompt.root; <userinput>tar -xf /mnt/usr/freebsd-dist/base.txz -C $DESTDIR</userinput></screen>

    <para>On &os; 8.x systems, use this command instead:</para>



    <para>When using &os;&nbsp;9.x and newer:</para>

    <screen>&prompt.root; <userinput>for <replaceable>sets</replaceable> in BASE PORTS; do tar -xf /mnt/usr/freebsd-dist/$<replaceable>sets</replaceable>.TXZ -C $DESTDIR ; done</userinput></screen>

    <para>When using &os;&nbsp;8.x:</para>


      <emphasis>service</emphasis> jail, it depends on the service or
      application that will run within the jail.</para>

    <para>Jails can be started at boot time using
      <filename>jails.conf</filename> on &os;&nbsp;9.1 or newer, or
      by using <filename>rc</filename> mechanism for &os;&nbsp;9.0
      and earlier.</para>

    <para>When using &os;&nbsp;9.1 or newer:</para>

    <procedure>
      <step>
	<para>Add to &man.rc.conf.5;:</para>
	<programlisting>jail_enable="YES"   # Set to NO to disable starting of any jails</programlisting>
      </step>

      <step>
	<para>Create an entry in &man.jail.conf.5; for each
	  jail:</para>
	<programlisting>testjail {
&nbsp;&nbsp;&nbsp;&nbsp;path = /usr/local/jail/testjail;
&nbsp;&nbsp;&nbsp;&nbsp;mount.devfs;
&nbsp;&nbsp;&nbsp;&nbsp;host.hostname = testhostname;
&nbsp;&nbsp;&nbsp;&nbsp;ip4.addr = 192.0.2.100;
&nbsp;&nbsp;&nbsp;&nbsp;interface = ed0;
&nbsp;&nbsp;&nbsp;&nbsp;exec.start = "/bin/sh /etc/rc";
&nbsp;&nbsp;&nbsp;&nbsp;exec.stop = "/bin/sh /etc/rc.shutdown";
}</programlisting>
      </step>
    </procedure>

    <para>When using &os;&nbsp;9.0 and older:</para>

    <procedure>
      <step>
	<para>A list of the jails which are enabled to start at boot
	  time should be added to the &man.rc.conf.5; file:</para>


      </step>
    </procedure>

    <para>&man.service.8; can be used to start or stop a jail if an
      entry for it exists in <filename>jail.conf</filename> or
      <filename>rc.conf</filename>:</para>

    <screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput>

Return to bug 200905

Lines 33-39 Link Here

(-)chapter.xml (-8 / +34 lines)
33	<para>Jails build upon the &man.chroot.2; concept, which is used	33	<para>Jails build upon the &man.chroot.2; concept, which is used
34	to change the root directory of a set of processes, creating a	34	to change the root directory of a set of processes, creating a
35	safe environment, separate from the rest of the system.	35	safe environment, separate from the rest of the system.
36	Processes created in the chrooted environment can not access	36	Processes created in the chrooted environment cannot access
37	files or resources outside of it. For that reason, compromising	37	files or resources outside of it. For that reason, compromising
38	a service running in a chrooted environment should not allow the	38	a service running in a chrooted environment should not allow the
39	attacker to compromise the entire system. However, a chroot has	39	attacker to compromise the entire system. However, a chroot has
Lines 225-231 Link Here
225	<para>To install just the base system, run the next command when	225	<para>To install just the base system, run the next command when
226	using &os; 9.x or newer:</para>	226	using &os; 9.x or newer:</para>
227		227
228	<screen>&prompt.root; <userinput>tar -xf /mnt/usr/freebsd_dist/base.txz -C $DESTDIR</userinput></screen>	228	<screen>&prompt.root; <userinput>tar -xf /mnt/usr/freebsd-dist/base.txz -C $DESTDIR</userinput></screen>
229		229
230	<para>On &os; 8.x systems, use this command instead:</para>	230	<para>On &os; 8.x systems, use this command instead:</para>
231		231
Lines 236-242 Link Here
236		236
237	<para>When using &os; 9.x and newer:</para>	237	<para>When using &os; 9.x and newer:</para>
238		238
239	<screen>&prompt.root; <userinput>for <replaceable>sets</replaceable> in BASE PORTS; do tar -xf /mnt/FREEBSD_INSTALL/USR/FREEBSD_DIST/$<replaceable>sets</replaceable>.TXZ -C $DESTDIR ; done</userinput></screen>	239	<screen>&prompt.root; <userinput>for <replaceable>sets</replaceable> in BASE PORTS; do tar -xf /mnt/usr/freebsd-dist/$<replaceable>sets</replaceable>.TXZ -C $DESTDIR ; done</userinput></screen>
240		240
241	<para>When using &os; 8.x:</para>	241	<para>When using &os; 8.x:</para>
242		242
Lines 320-331 Link Here
320	<emphasis>service</emphasis> jail, it depends on the service or	320	<emphasis>service</emphasis> jail, it depends on the service or
321	application that will run within the jail.</para>	321	application that will run within the jail.</para>
322		322
323	<para>Jails are often started at boot time and the &os;	323	<para>Jails can be started at boot time using
324	<filename>rc</filename> mechanism provides an easy way to do	324	<filename>jails.conf</filename> on &os; 9.1 or newer, or
325	this.</para>	325	by using <filename>rc</filename> mechanism for &os; 9.0
		326	and earlier.</para>
326		327
		328	<para>When using &os; 9.1 or newer:</para>
		329
327	<procedure>	330	<procedure>
328	<step>	331	<step>
		332	<para>Add to &man.rc.conf.5;:</para>
		333	<programlisting>jail_enable="YES" # Set to NO to disable starting of any jails</programlisting>
		334	</step>
		335
		336	<step>
		337	<para>Create an entry in &man.jail.conf.5; for each
		338	jail:</para>
		339	<programlisting>testjail {
		340	path = /usr/local/jail/testjail;
		341	mount.devfs;
		342	host.hostname = testhostname;
		343	ip4.addr = 192.0.2.100;
		344	interface = ed0;
		345	exec.start = "/bin/sh /etc/rc";
		346	exec.stop = "/bin/sh /etc/rc.shutdown";
		347	}</programlisting>
		348	</step>
		349	</procedure>
		350
		351	<para>When using &os; 9.0 and older:</para>
		352
		353	<procedure>
		354	<step>
329	<para>A list of the jails which are enabled to start at boot	355	<para>A list of the jails which are enabled to start at boot
330	time should be added to the &man.rc.conf.5; file:</para>	356	time should be added to the &man.rc.conf.5; file:</para>
331		357
Lines 363-370 Link Here
363	</step>	389	</step>
364	</procedure>	390	</procedure>
365		391
366	<para>&man.service.8; can be used to start or stop a jail by hand,	392	<para>&man.service.8; can be used to start or stop a jail if an
367	if an entry for it exists in	393	entry for it exists in <filename>jail.conf</filename> or
368	<filename>rc.conf</filename>:</para>	394	<filename>rc.conf</filename>:</para>
369		395
370	<screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput>	396	<screen>&prompt.root; <userinput>service jail start <replaceable>www</replaceable></userinput>