From: dylanr Date: Wed, 8 Dec 2010 06:58:35 +0000 (-0800) Subject: Fix web-man links, remove exit cd in setup. X-Git-Url: https://gitweb.dragonflybsd.org/ikiwiki.git/commitdiff_plain/b18173d2f0289df889ee8062452e53ed670614ae Fix web-man links, remove exit cd in setup. --- diff --git a/docs/newhandbook/Jails/index.mdwn b/docs/newhandbook/Jails/index.mdwn index 85596b03..0740c818 100644 --- a/docs/newhandbook/Jails/index.mdwn +++ b/docs/newhandbook/Jails/index.mdwn @@ -28,7 +28,7 @@ -* The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) manual page. This is the full reference of the jail utility -- the administrative tool which can be used in DragonFly to start, stop, and control DragonFly jails. +* The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) manual page. This is the full reference of the jail utility -- the administrative tool which can be used in DragonFly to start, stop, and control DragonFly jails. @@ -52,7 +52,7 @@ - [chroot(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#chroot§ion8) (command) + [chroot(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=8) (command) A system call of DragonFly, which changes the root directory of a process and all its descendants. @@ -61,7 +61,7 @@ *** - [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command#chroot§ion2) (environment) + [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=2) (environment) The environment of processes running in a “chroot”. This includes resources such as the part of the file system which is visible, user and group IDs which are available, network interfaces and other IPC mechanisms, etc. @@ -70,7 +70,7 @@ *** - [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) (command) + [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) (command) @@ -112,13 +112,13 @@ ## What is a Jail - BSD-like operating systems have had [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command#chroot§ion2) since the time of 4.2BSD. The [chroot(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=8) utility can be used to change the root directory of a set of processes, creating a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. The chroot(8) utility is good for easy tasks, which do not require a lot of flexibility or complex and advanced features. Since the inception of the chroot concept, however, many ways have been found to escape from a chrooted environment and, although they have been fixed in modern versions of the DragonFly kernel, it was clear that chroot(2) was not the ideal solution for securing services. A new subsystem had to be implemented. + BSD-like operating systems have had [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=2) since the time of 4.2BSD. The [chroot(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=8) utility can be used to change the root directory of a set of processes, creating a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. The chroot(8) utility is good for easy tasks, which do not require a lot of flexibility or complex and advanced features. Since the inception of the chroot concept, however, many ways have been found to escape from a chrooted environment and, although they have been fixed in modern versions of the DragonFly kernel, it was clear that chroot(2) was not the ideal solution for securing services. A new subsystem had to be implemented. This is one of the main reasons why ***jails*** were developed. - Jails improve on the concept of the traditional [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command#chroot§ion2) environment, in several ways. In a traditional [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=2) environment, processes are only limited in the part of the file system they can access. The rest of the system resources (like the set of system users, the running processes, or the networking subsystem) are shared by the chrooted processes and the processes of the host system. Jails expand this model by virtualizing not only access to the file system, but also the set of users, the networking subsystem of the DragonFly kernel and a few other things. A more complete set of fine-grained controls available for tuning the access of a jailed environment is described in Section 12.5. + Jails improve on the concept of the traditional [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=2) environment, in several ways. In a traditional [chroot(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot§ion=2) environment, processes are only limited in the part of the file system they can access. The rest of the system resources (like the set of system users, the running processes, or the networking subsystem) are shared by the chrooted processes and the processes of the host system. Jails expand this model by virtualizing not only access to the file system, but also the set of users, the networking subsystem of the DragonFly kernel and a few other things. A more complete set of fine-grained controls available for tuning the access of a jailed environment is described in Section 12.5. A jail is characterized by four elements: @@ -152,7 +152,7 @@ - Some administrators divide jails into the following two types: “complete” jails, which resemble a real DragonFly system, and “service” jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) manual page is quite clear about the procedure for building a jail: + Some administrators divide jails into the following two types: “complete” jails, which resemble a real DragonFly system, and “service” jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) manual page is quite clear about the procedure for building a jail: @@ -170,8 +170,6 @@ # make distribution DESTDIR=$D -DNO_MAKEDEV_RUN (3) - # cd $D/dev - # cd $D # ln -sf dev/null kernel @@ -199,14 +197,14 @@ *** - Once a jail is installed, it can be started by using the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) utility. The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) utility takes four mandatory arguments which are described in the Section 12.3.1. Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The command argument depends on the type of the jail; for a virtual system, ***/etc/rc*** is a good choice, since it will replicate the startup sequence of a real DragonFly system. For a service jail, it depends on the service or application that will run within the jail. + Once a jail is installed, it can be started by using the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) utility. The [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) utility takes four mandatory arguments which are described in the Section 12.3.1. Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The command argument depends on the type of the jail; for a virtual system, ***/etc/rc*** is a good choice, since it will replicate the startup sequence of a real DragonFly system. For a service jail, it depends on the service or application that will run within the jail. Jails are often started at boot time and the DragonFly rc mechanism provides an easy way to do this. - A list of the jails which are enabled to start at boot time should be added to the [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) file: + A list of the jails which are enabled to start at boot time should be added to the [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=rc.conf§ion=5) file: @@ -219,7 +217,7 @@ - For each jail listed in ***jail_list***, a group of [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) settings, which describe the particular jail, should be added: + For each jail listed in ***jail_list***, a group of [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=rc.conf§ion=5) settings, which describe the particular jail, should be added: @@ -235,11 +233,11 @@ - The default startup of jails configured in [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5), will run the ***/etc/rc*** script of the jail, which assumes the jail is a complete virtual system. For service jails, the default startup command of the jail should be changed, by setting the ***jail_jailname_exec_start*** option appropriately. + The default startup of jails configured in [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=rc.conf§ion=5), will run the ***/etc/rc*** script of the jail, which assumes the jail is a complete virtual system. For service jails, the default startup command of the jail should be changed, by setting the ***jail_jailname_exec_start*** option appropriately. - **Note:** For a full list of available options, please see the [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#rc.conf§ion5) manual page. + **Note:** For a full list of available options, please see the [rc.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=rc.conf§ion=5) manual page. @@ -255,7 +253,7 @@ - A clean way to shut down a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) is not available at the moment. This is because commands normally used to accomplish a clean system shutdown cannot be used inside a jail. The best way to shut down a jail is to run the following command from within the jail itself or using the [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jexec§ion=8) utility from outside the jail: + A clean way to shut down a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) is not available at the moment. This is because commands normally used to accomplish a clean system shutdown cannot be used inside a jail. The best way to shut down a jail is to run the following command from within the jail itself or using the [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jexec§ion=8) utility from outside the jail: @@ -266,7 +264,7 @@ - More information about this can be found in the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8) manual page. + More information about this can be found in the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) manual page. @@ -289,7 +287,7 @@ - Fine tuning of a jail's configuration is mostly done by setting [sysctl(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#sysctl§ion8) variables. A special subtree of sysctl exists as a basis for organizing all the relevant options: the ***security.jail.**** hierarchy of DragonFly kernel options. Here is a list of the main jail-related sysctls, complete with their default value. Names should be self-explanatory, but for more information about them, please refer to the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) and [sysctl(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=sysctl§ion=8) manual pages. + Fine tuning of a jail's configuration is mostly done by setting [sysctl(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=sysctl§ion=8) variables. A special subtree of sysctl exists as a basis for organizing all the relevant options: the ***security.jail.**** hierarchy of DragonFly kernel options. Here is a list of the main jail-related sysctls, complete with their default value. Names should be self-explanatory, but for more information about them, please refer to the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8) and [sysctl(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=sysctl§ion=8) manual pages. @@ -316,16 +314,16 @@ -These variables can be used by the system administrator of the host system to add or remove some of the limitations imposed by default on the root user. Note that there are some limitations which cannot be removed. The root user is not allowed to mount or unmount file systems from within a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail§ion8). The root inside a jail may not set firewall rules or do many other administrative tasks which require modifications of in-kernel data, such as setting the securelevel of the kernel. +These variables can be used by the system administrator of the host system to add or remove some of the limitations imposed by default on the root user. Note that there are some limitations which cannot be removed. The root user is not allowed to mount or unmount file systems from within a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail§ion=8). The root inside a jail may not set firewall rules or do many other administrative tasks which require modifications of in-kernel data, such as setting the securelevel of the kernel. - The base system of DragonFly contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. The [jls(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jls§ion8) and [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jexec§ion=8) commands are part of the base DragonFly system, and can be used to perform the following simple tasks: + The base system of DragonFly contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. The [jls(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jls§ion=8) and [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jexec§ion=8) commands are part of the base DragonFly system, and can be used to perform the following simple tasks: * Print a list of active jails and their corresponding jail identifier (JID), IP address, hostname and path. - * Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful when the root user wants to cleanly shut down a jail. The [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jexec§ion8) utility can also be used to start a shell in a jail to do administration in it; for example: + * Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful when the root user wants to cleanly shut down a jail. The [jexec(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jexec§ion=8) utility can also be used to start a shell in a jail to do administration in it; for example: