English Norwegian Bokmål
Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the host environment. As a general rule, untrusted users with privileged access to a jail should not be given access to the host environment.
Terms Related to Jails
To facilitate better understanding of parts of the FreeBSD system related to jails, their internals and the way they interact with the rest of FreeBSD, the following terms are used further in this chapter:
man:chroot[8] (command)
Utility, which uses man:chroot[2] FreeBSD system call to change the root directory of a process and all its descendants.
man:chroot[2] (environment)
The environment of processes running in a "chroot". This includes resources such as the part of the file system which is visible, user and group IDs which are available, network interfaces and other IPC mechanisms, etc.
man:jail[8] (command)
The system administration utility which allows launching of processes within a jail environment.
host (system, process, user, etc.)
The controlling system of a jail environment. The host system has access to all the hardware resources available, and can control processes both outside of and inside a jail environment. One of the important differences of the host system from a jail is that the limitations which apply to superuser processes inside a jail are not enforced for processes of the host system.
hosted (system, process, user, etc.)
A process, user or other entity, whose access to resources is restricted by a FreeBSD jail.
Creating and Controlling Jails
Some administrators divide jails into the following two types: "complete" jails, which resemble a real FreeBSD system, and "service" jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. When creating a "complete" jail there are two options for the source of the userland: use prebuilt binaries (such as those supplied on an install media) or build from source.
Installing a Jail
To install a Jail from the Internet
The man:bsdinstall[8] tool can be used to fetch and install the binaries needed for a jail. This will walk through the picking of a mirror, which distributions will be installed into the destination directory, and some basic configuration of the jail:
# bsdinstall jail /here/is/the/jail
Once the command is complete, the next step is configuring the host to run the jail.