FreeBSD Jail
Encyclopedia
The FreeBSD jail mechanism is an implementation of operating system-level virtualization
that allows administrators to partition a FreeBSD
-based computer system into several independent mini-systems called jails.
The need for the FreeBSD jails came from service provider
s' desire to establish a clean, clear-cut separation between their own services and those of their customers, mainly for security and ease of administration. Instead of adding a new layer of fine-grained configuration options, the solution adopted was to compartmentalize the system, both its files and its resources, in such a way that only the right person(s) are given access to the right compartment(s).
Unlike common chroot jail, which restricts processes to a particular view of the filesystem,
the FreeBSD jail mechanism restrict what a process in a jail can do in relation to the rest of the system. In effect, jailed processes are sandbox
ed. They are bound to specific IP addresses, and a jailed process cannot access to divert or routing sockets. Raw socket
s are also disabled by default, but may be enabled by setting the security.jail.allow_raw_sockets sysctl option. Additionally, interaction between processes that are not running in the same jail is restricted.
The jail(8) utility and jail(2) system call
first appeared in FreeBSD 4.0. New utilities (for example jls(8) to list jails) and system calls (for example jail_attach(2) to attach a new process to a jail) that render jail management much easier were added in FreeBSD 5.1. The jail subsystem has been significantly updated for FreeBSD 7.2, including support for multiple IPv4 and IPv6 addresses per jail and support for binding jails to specific CPUs.
Virtualization is valuable to service providers wishing to offer their users the ability to have custom configurations and yet keep the overall system easy to maintain. For example two different customers could need different versions of the same software. Without jails, configuring multiple software versions in different directories and ensuring they do not encroach on each other isn't always possible or easy to maintain (e.g. XFree86
is notoriously hard to move around). Jails on the other hand permit software packages to view the system egoistically, as if each package had the machine to itself. Jails can also have their own, independent, jailed superusers.
The FreeBSD jail does not however achieve true virtualization; it does not allow the virtual machines to run different kernel versions than that of the base system. All virtual servers share the same kernel and hence expose the same bugs and potential security holes. There is no support for clustering or process migration
, so the host kernel and host computer is still a single point of failure for all virtual servers. It is possible to use jails to safely test new software, but not new kernels.
For example, in a non-jailed system, a web server running as user www that introduces a PHP
-include vulnerability
would compromise the entire system: the attacker would have the rights of the user www which can typically modify files on the web server, wander about in the directory tree and get lots of information, such as the full user list, shell
and home directory from /etc/passwd.
But if the web server is jailed, the scope of user www is limited to the jail, which in turn can be minimalistic enough not to give away very much. Even if the attacker gained access to the jail's superuser account, he/she could only modify that jail, and not the whole system.
FreeBSD jails are limited in the following ways:
Operating system-level virtualization
Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
that allows administrators to partition a FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
-based computer system into several independent mini-systems called jails.
The need for the FreeBSD jails came from service provider
Service provider
A service provider is an entity that provides services to other entities. Usually, this refers to a business that provides subscription or web service to other businesses or individuals. Examples of these services include Internet access, Mobile phone operators, and web application hosting...
s' desire to establish a clean, clear-cut separation between their own services and those of their customers, mainly for security and ease of administration. Instead of adding a new layer of fine-grained configuration options, the solution adopted was to compartmentalize the system, both its files and its resources, in such a way that only the right person(s) are given access to the right compartment(s).
Goals
FreeBSD jails mainly aim at three goals:- Virtualization: Each jail is a virtual environment running on the host machine with its own files, processes, user and superuserSuperuserOn many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
accounts. From within a jailed process, the environment is (almost) indistinguishable from a real system. - Security: Each jail is sealed from the others, thus providing an additional level of security.
- Ease of delegation: The limited scope of a jail allows system administrators to delegate several tasks which require superuser access without handing out complete control over the system.
Unlike common chroot jail, which restricts processes to a particular view of the filesystem,
the FreeBSD jail mechanism restrict what a process in a jail can do in relation to the rest of the system. In effect, jailed processes are sandbox
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
ed. They are bound to specific IP addresses, and a jailed process cannot access to divert or routing sockets. Raw socket
Raw socket
In computer networking, a raw socket is a socket that allows direct sending and receiving of network packets by applications, bypassing all encapsulation in the networking software of the operating system. Most socket application programming interfaces , especially those based on Berkeley sockets,...
s are also disabled by default, but may be enabled by setting the security.jail.allow_raw_sockets sysctl option. Additionally, interaction between processes that are not running in the same jail is restricted.
The jail(8) utility and jail(2) system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
first appeared in FreeBSD 4.0. New utilities (for example jls(8) to list jails) and system calls (for example jail_attach(2) to attach a new process to a jail) that render jail management much easier were added in FreeBSD 5.1. The jail subsystem has been significantly updated for FreeBSD 7.2, including support for multiple IPv4 and IPv6 addresses per jail and support for binding jails to specific CPUs.
Virtualization
With jail it is possible to create various virtual machines, each of them having their own set of utilities installed and their own configuration. This makes it a safe way to try out software. For example, it is possible to run different versions or try different configurations of a web server package in different jails. And since the jail is limited to a narrow scope, the effects of a misconfiguration or mistake (even if done by the in-jail superuser) does not jeopardize the rest of the system's integrity. Since nothing has actually been modified outside of the jail, "changes" can be discarded by deleting the jail's copy of the directory tree.Virtualization is valuable to service providers wishing to offer their users the ability to have custom configurations and yet keep the overall system easy to maintain. For example two different customers could need different versions of the same software. Without jails, configuring multiple software versions in different directories and ensuring they do not encroach on each other isn't always possible or easy to maintain (e.g. XFree86
XFree86
XFree86 is an implementation of the X Window System. It was originally written for Unix-like operating systems on IBM PC compatibles and is now available for many other operating systems and platforms. It is free and open source software under the XFree86 License version 1.1. It is developed by the...
is notoriously hard to move around). Jails on the other hand permit software packages to view the system egoistically, as if each package had the machine to itself. Jails can also have their own, independent, jailed superusers.
The FreeBSD jail does not however achieve true virtualization; it does not allow the virtual machines to run different kernel versions than that of the base system. All virtual servers share the same kernel and hence expose the same bugs and potential security holes. There is no support for clustering or process migration
Process migration
Process migration is when processes in computer clusters are able to move from machine to machine. Process migration is implemented in, among others, OpenMosix....
, so the host kernel and host computer is still a single point of failure for all virtual servers. It is possible to use jails to safely test new software, but not new kernels.
Security
FreeBSD jails are an effective way to increase the security of a server because of the separation between the jailed environment and the rest of the system (the other jails and the base system).For example, in a non-jailed system, a web server running as user www that introduces a PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
-include vulnerability
Include vulnerability
A server-side include vulnerability is a vulnerability that may allow an attacker to execute arbitrary scripts on a host server by causing an existing script to include an arbitrary file...
would compromise the entire system: the attacker would have the rights of the user www which can typically modify files on the web server, wander about in the directory tree and get lots of information, such as the full user list, shell
Shell (computing)
A shell is a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel. However, the term is also applied very loosely to applications and may include any software that is "built around" a particular component, such as web...
and home directory from /etc/passwd.
But if the web server is jailed, the scope of user www is limited to the jail, which in turn can be minimalistic enough not to give away very much. Even if the attacker gained access to the jail's superuser account, he/she could only modify that jail, and not the whole system.
FreeBSD jails are limited in the following ways:
- Jailed processes cannot interact with processes in a different jail. For example, the psPs (Unix)In most Unix-like operating systems, the ps program displays the currently-running processes. A related Unix utility named top provides a real-time view of the running processes....
command will only show the processes running in the jail. - Modifying the running kernel by direct access and loading modules is prohibited. Modifying most sysctlSysctlSysctl is an interface for examining and dynamically changing parameters in the BSD and Linux operating systems. The implementation mechanism in these two systems is very different....
s and the securelevel is prohibited. - Modifying the network configuration, including interfaces, interface or IP addresses, and the routing tableRouting tableIn computer networking a routing table, or Routing Information Base , is a data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table contains information about the...
, is prohibited. Accessing divert and routing sockets are also prohibited. Additionally raw sockets are disabled by default. A jail is bound only to specific IP addresses and firewall rules cannot be changed. - MountingMount (computing)Mounting takes place before a computer can use any kind of storage device . The user or their operating system must make it accessible through the computer's file system. A user can access only files on mounted media.- Mount point :A mount point is a physical location in the partition used as a...
and unmounting filesystems is prohibited. Jails cannot access files above their root directory (i.e. a jail is chroot'ed). - Jailed processes cannot create device nodes.
Similar technologies
- Other implementations of operating system-level virtualization technology