This chapter will provide an explanation of what FreeBSD jails are and how to use them. Jails, sometimes referred to as an enhanced replacement of chroot environments, are a very powerful tool for system administrators, but their basic usage can also be useful for advanced users.
Important: Jails are a powerful tool, but they are not a security panacea. It is particularly important to note that while it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail and thereby obtain elevated privileges in the host environment.
Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the host environment. Regardless, as a general rule, untrusted users with privileged access to a jail should not be given access to the host environment.
After reading this chapter, you will know:
What a jail is, and what purpose it may serve in FreeBSD installations.
How to build, start, and stop a jail.
The basics of jail administration, both from inside and outside the jail.
Other sources of useful information about jails are:
The jail(8) manual page. This is the full reference of the jail utility — the administrative tool which can be used in FreeBSD to start, stop, and control FreeBSD jails.
The mailing lists and their archives. The archives of the FreeBSD general questions mailing list and other mailing lists hosted by the FreeBSD list server already contain a wealth of material for jails. It should always be engaging to search the archives, or post a new question to the freebsd-questions mailing list.