Hey guys, just recently been diving head-first into jails and they're pretty much perfect. My server currently has a few running services, and one running VNET + OpenVPN and they work great.
Was just wondering if there are any accepted 'best practices' for jail security. For example, whether or not it's ok to run everything in the jail as root and not bother creating a sudo user. I ask this because I recently saw info about setuid privilege escalation and the jail's wiki page states that there's ways for root in jail and unprivileged in host to escalate privileges.
Also wondering if there's a way to hide jail filesystems from non-root users. Is it as simple as chmod'ing it? A bit scared I might break the jail's filesystem if I chmod -R everything.
Cheers
Was just wondering if there are any accepted 'best practices' for jail security. For example, whether or not it's ok to run everything in the jail as root and not bother creating a sudo user. I ask this because I recently saw info about setuid privilege escalation and the jail's wiki page states that there's ways for root in jail and unprivileged in host to escalate privileges.
Also wondering if there's a way to hide jail filesystems from non-root users. Is it as simple as chmod'ing it? A bit scared I might break the jail's filesystem if I chmod -R everything.
Cheers
