Should jails have the src component?

[japoc]

Hello,

I'm trying to create jails and keep them up to date and secure.
I don't know if I should add the src component to my jails.
As of now, I only download base.txz, lib32.txz and doc.txz from http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/11.0-RELEASE/ , extract them in a directory and I run

freebsd-update -b /var/jails/myjail_directory/ fetch install

to populate the jail directory.
I'm not sure if I should also add src.txz.
Would some packages from pkg would not work without src? Maybe some libraries available in pkg require some headers that are only available in src?

Also, I'm trying to update my jails and I'm not sure how to specify to freebsd-update that I only want to update the base, lib32 and doc components (and maybe src).

Thanks for your help.

 

[ekingston]

In my opinion, the general case answer is no, jails should not include the source component. A jail is intended to isolate a specific activity from the core operating system (and other applications/actions). Generally one would do this because there is some inherent risk in the activity which can be mitigated by being put into a jail. As such, to keep that risk to a minimum, the jail should not have anything included in it that isn't strictly needed to achieve that task.

Of course, if that particular task is letting users log-in to the jail in order to compile/generate their own FreeBSD binaries, then you might want to include the code base. So, the real answer is it depends.

On the other hand, if the purpose of the jail is to run a publicly accessible web server, then you want to give any attacker that manages to find a way to gain access to the jail through the web server as few tools as possible to cause more damage to your system.

 

[SirDice]

Packages do not depend on the availability of the source. Only some ports require access to the source in order to build kernel modules.

I'm trying to update my jails and I'm not sure how to specify to freebsd-update that I only want to update the base, lib32 and doc components (and maybe src).

See freebsd-update.conf(5).

 

[japoc]

Packages do not depend on the availability of the source. Only some ports require access to the source in order to build kernel modules.


See freebsd-update.conf(5).

I made a second thread about this question since it was actually a separate issue: https://forums.freebsd.org/threads/61046/
Sorry about the duplicate.