1

In this 2014 blog post from an apparently anti-BSD blog, the author criticizes BSD jails for being poorly designed and therefore insecure.

The opening paragraph reads:

If you’re thinking of employing FreeBSD jails in your server environment or use them to run insecure applications, it will be good for you to reconsider those options. Jails are one some of the most vulnerable phony “security” features ever put forth by fraudsters. They have been found to be even more insecure then a basic unix chroot and worst they even make it easier to gain control of your kernel with certain types of attacks.

The article goes on to lambast jails for having a backdoor that was installed by a control-freak developer, excessive overhead, and so on.

Obviously the author is quite biased, in my opinion pathologically so. That said, is there merit to these claims? Are BSD jails an inadequate solution for securing applications on a web server?

shadowtalker
  • 541
  • 4
  • 11
  • 1
    as usual... "adequate" depends on what you define as adequate, so your question, sadly, is based on an opinion on security that you forget to share! – Marcus Müller Feb 19 '17 at 17:17
  • I'm not sure if it makes sense to discuss anything on this blatantly anti-BSD blog. This article contains only claims but nothing which proves this claims so parts might be completely wrong and other parts might be greatly exaggerated. I propose to close this question because we don't really want to discuss such obviously biased "information". – Steffen Ullrich Feb 19 '17 at 17:23
  • @SteffenUllrich the whole point of my question was to seek clarification about the claims made in the blog. Since you seem to know more about this than I do, why not just answer the question? "Too broad" and "I don't like the subject matter" are not the same thing. – shadowtalker Feb 19 '17 at 17:24
  • @ssdecontrol: to cite from http://ivoras.sharanet.org/blog/tree/2009-10-20.the-night-of-1000-jails.html where somebody did a test with 1000 jails: *CPU usage is almost 0. ...So there it is - cheap, easy, low-weight virtualization that can be quickly set up and destroyed.*. As for security: they are much better than chroot (their predecessor), And lxc came way later (jail: 2000, lxc: 2008 according to wikipedia). – Steffen Ullrich Feb 19 '17 at 17:27
  • Well, the previous blog just claimed FreeBSD is dead. Hopefully the dead FreeBSD is still a maintained OS. Some guys do not like BSD for religious reasons (BSD license is quite different from any GNU license), and the author of that seems to be one of them. This post contains neither evidences, nor even constructed arguments but only rants. IMHO here is what it only deserves: plonk. – Serge Ballesta Feb 19 '17 at 22:55
  • For BSD jails, they are a intermediate between a mere chroot and a virtualization solution. Not a panacea but the isolation level that they provide can increase security. Whether they are *adequate* mainly depends on the requirement - and BSD still have good reputation when security is a concern: not as efficient as a recent Linux on a modern platform, but always a robust solution. – Serge Ballesta Feb 19 '17 at 23:01

0 Answers0