OpenBSD chroot vs. FreeBSD jails

[gpatrick]

I don't intend to start a war but would like to know the real security differences between OpenBSD chroot and FreeBSD jails. Are jails indeed more secure than using chroot or is chroot as secure if implemented correctly?

Please no wars, I'm only looking for information to implement a few web sites now, and possibly a few dozen at a later time. They will all need to access a database and I prefer to use a reverse proxy.

[J65nko]

Didn't we discuss this already extensively in http://www.daemonforums.org/showthread.php?t=3983 ?

[gpatrick]

Coming from Solaris I think I'll just stay with jails on FreeBSD since the concept is the same. Then I don't have to try and get cgi working in chroot or how I'm going to get the reverse proxy working and other things in chroot. Though the thought of chroot with virtual hosts seems nice and then I wouldn't have so many instances of Apache. Though I could do that in a single jail. Just want the ulimate in security for the web sites.

Thank you for your help. I appreciated it.

[BSDfan666]

I'm not sure if you're aware, but chroot(2) is not something that's only available on OpenBSD.. it is a standardized functionally that all POSIX/Unix-alikes support.

Unlike many other systems, OpenBSD makes use of this feature extensively.. most daemons additionally drop root privileges early on during initialization, reducing the blow to the rest of the system.

The ultimate security for hosting multiple sites is.. multiple servers, that's physical security.. if however you prefer to keep things centralized.. you must realize that compromises may happen eventually, having a good recovery policy in place is just good thinking, making things difficult for the said attacker is just icing on the cake.

You have already been told that OpenBSD does not support jails, this is because it's an extensive modification.. it touches practically every part of the system.. and nobody can guarantee that they are impenetrable or invulnerable to attack.

If you believe that jails are a requirement for your setup, then continue using FreeBSD.. but respect that privileged separation, chroot(2) and wise ass thinking is good enough for some people.

[jggimi]

Not to start a war. But the consensus, among the OpenBSD cognescenti, is that virtual machines / Chroot / Jails are not adding additional security, nor platform isolation, though they do offer the appearance of it. Many people think they are getting these through virtualization, but ... the consensus is they are mistaken. You may, if you wish, call that a theory, but the Project members will call it fact, and cite chapter and verse, nastily. You can search the misc@ archives for lots of it.

The use of chroot within OpenBSD itself is for filesystem isolation after privilege separation, for Apache and BIND, primarily.

As it has filesystem virtualization, I have used chroot for development. I was not looking for security or platform isolation, just filesystem isolation.