The fuck is a jail? Why does it matter

>>55290750

https://www.freebsd.org/doc/handbook/jails.html

it matters if you don't want your server to get r00ted

>>55290732
It'll have virtualization soon.

Should be safer than a jail in theory because it probably doesn't share anything with the host.

>>55291259
Virtualization is good for running untrusted code, jails/containers are better for running trusted code. It's nice to have both.

File: Puffer Fish.jpg (44 KB, 640x480) Image search: [Google]

44 KB, 640x480

did the OpenBSD devs ever say why they didn't implement jails? after all OpenBSD prides itself on putting security first.

op

>>55290732
Because Theo is African, and They don't like jails, though they sure have a funny way of ending up in them...

Jails were built specifically for FreeBSD and requires a lot of work to implement elsewhere. I believe OpenBSD devs like jails but they do not like that it requires so much work and additional code to implement, they prefer chroot+systrace as a simpler alternative.

>>55291797
yeah, and the only reason OpenBSD is even getting virtualization is because of a dare

they tend to prefer simple solutions

>>55291511
underrated post

Since this thread is about BSD, wasn't there an anon that was looking for Henning Brauer's presentation about ISPs?

The rest of the BSDCan presentations are finally up on youtube:
https://www.youtube.com/watch?v=AOidjSS7Hsg&list=PLeF8ZihVdpFfoEV67dBSrKfA8ifpUr6qC
Playlist starts here.

>>55292081
That was me thanks for reminding me of that anon.

>>55290732

Because OpenBSD doesn't ship shit.

When they do virtualization, it will be done correctly, your 'jails' will be instantly depreciated

>>55292178
It's that attitude that feeds the trolls that hang in here, you do know that, right?

>>55292191

Doesn't make my argument false.

If you really want to shill freebsd, there is Hacker News for that.

>>55290732
Because it has chroot, and unlike some OSes, it takes full advantage of it, and utilizes it extensively to accomplish the exact same things you'd want to use Jails for. No need to reinvent the wheel, or let a retarded dipshit like Poettering close enough to start trying to "fix" stuff, or anything like that.

>>55291486
Psst...if you're relying on Jails to secure your system, then you are doing it very wrong. You should ensure that you have a secured system, before you even think about implementing Jails. Jails are an additional measure, not your first line of defense. They won't do you a bit of good on an unsecured system, and I believe the FreeBSD handbook even explicitly tells you this. You have read the handbook haven't you? https://www.freebsd.org/doc/handbook/jails.html#jails-synopsis

>Jails are a powerful tool, but they are not a security panacea. While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment.

>>55291259
>>55292178

so when will we see virtualization in OpenBSD?

>>55290750
It's where you go for watching anime in Canada

>>55293726
Not sure, but I think -current already has it.

>>55292422
>utilizes it extensively to accomplish the exact same things you'd want to use Jails for

how? jails are much more capable and comprehensive than chroot

>>55293726
>>55293743
Oh, interestingly the VM tools are already there in the latest -release.

So is the daemon, so I guess it's there already but it can't boot anything but OpenBSD yet.

>>55293732

maple syrup and hockey make you hate japan

>>55295474
but I only use maple syrup and I'm a Penguins fan.

>>55293803

in two years it will support linux and maybe freebsd. it will almost be as useful as containers with selinux.

>>55292567
>before you even think about implementing Jails
so openbsd is not a secure system?

>>55292422
>retarded dipshit like Poettering
at least he's better than you, right? what have you accomplished?

File: 1466250803532.jpg (109 KB, 550x413) Image search: [Google]

109 KB, 550x413

>>55297523
>>55297513

Not him, but you two should rub dicks together.

>>55297533
>Not him, but
please

File: image.jpg (506 KB, 1536x2048) Image search: [Google]

506 KB, 1536x2048

>>55290732
>ever thinking openbsd was about security
strlcpy is a buggy piece of shit. If a string is too long for the destination then it shouldn't just truncate it and silently continue. It should either signal an error or if it's on the heap, reallocate so that it fits. And if you really want strlcpy behavior it should use *((char *) mempcpy (dst, src, n)) = '\0' which is way faster than the shitty OpenBSD way of doing it, since when copying a string you should ALWAYS know the length anyways.
And they completely stole W^X from PaX

Jails won't protect you from the FBI backdoors

>>55297644
OpenBSD never claimed they invented all the security features it has.

>Sometimes these ideas have been used before in some random application written somewhere, but perhaps not taken to the degree that we do.
What they mean by this is that they're extremists and will enable those protections EVEN if it breaks the userland completely. They have done so many times before and will keep doing it in -current.

>>55297644
>strlcpy is a buggy piece of shit
it's worthless shit, but it's not buggy
>either signal an error
it does; the return value will be greater than the size argument
>or if it's on the heap, reallocate
it can't know that
>want strlcpy behavior it should use *((char *) mempcpy (dst, src, n)) = '\0'
no, that's silently truncating
>when copying a string you should ALWAYS know the length anyways
yes, BOTH lengths, of destination and source, and the proper way to copy is simply memcpy(dst, src, src_len + 1);
>stole W^X from PaX
b-but INNOVASHUN! :^)

>>55290732
they haven't innovated them yet! but soon...

>>55298043
>using the smiley with a carat nose

>>55290732
Because it uses the best security model ever invented: security by wishful thinking. If you think you're secure, no matter the reality, nothing can possibly touch you. Who needs defense in depth? Who needs jails? That's just bloat. Believe and be free!

>>55300370
no amount of jailing can save a stupid sysadmin

>>55300409
Any amount of jailing, even the bare minimum, CAN save a stupid sysadmin. The more security layers you add, the more secure an OS is, even from the most retarded sysadmin on the planet.

>>55297523
I'm a machinist. I work in the family shop, which I will one day own a piece of. I do most of the CNC work around there. I know, it's nothing as glamorous as being the "brains" behind the systemd, Pulse audio, and other such malware, but I'm not looking for glory. Just a really decent living, that allows me to pay the bills, and enjoy life a little bit. You?

>>55290732
>https://marc.info/?l=openbsd-misc&m=119318909016582

> Virtualization seems to have a lot of security benefits.

You've been smoking something really mind altering, and I think you
should share it.

x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection.  Then running your operating
system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.

You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.

That's all x86 virtualization is.

>>55301391
>there are people who take openbullshitdund seriously when things like these are all over the mailing lists

>>55301391
>>55302064
he's right, you know

>>55297523
>pulseaudio
>systemd

All a person needs to do is not be bad/criminal. Then they are better than potter. Maybe not more accomplished, but a better human bean.

>>55295595
FLYERS
L
Y
E
R
S

>>55290732
How do jails compare against linux cgroups+namespacing? (e.g. via systemd's machinectl)

>>55303290
>better human bean
yes you are

>>55304170
poorly

>>55303290
>he's bad because he devotes his time to write software to benefit other people
Sounds like you're shit.

>>55304235
Can you be specific? Examples? Pros and cons? Difference list?

I don't want some "muh systemd is bad" meme-tier shilling, I want to know what the actual facts are

>>55290854

gaols*

get it right u fucken new fags>>55290750

>>55304246
>benefit
arguable

>>55304246
>benefit

Motherfucker, are you for real? When Windowsfags install Ubuntu and ditch it because the sound doesn't work, it's usually PulseAudio causing the problem.

systemd will eventually become the same way. He's already gone ahead and made it clear that he doesn't give a shit and that he won't bend for compatibility that he needs to provide because he's a lazy fuck.

Poettering firmly believes that Linux is "primitive", and for it to be "modern", it has to implement all of the shittiest, most obtuse aspects of other systems.

>>55297644

> stole W^X from PaX
> stole

kill yourself retard (and just before you do, read how th GPL and BSD licences work)

>>55301391

kek! enlightening

>>55291895
>underrated post
very

>>55297644
Hey anon-kun, why not just suggest this change on the CVS tree if you think you know better? If you're right than I'm sure Theo will make the changes.

>>55305237
>Windowsfags install Ubuntu and ditch it
I'm ok with that.
>he won't bend for compatibility
Perfect! Shit from the 70s needs to die already.
>Poettering firmly believes that Linux is "primitive"
He's right.

>>55307014
There is no way you're not underage

>>55307043
how else could he be spending days here posting retarded shit like this

>>55307079
don't project your homosexuality on others

>>55307149
>we're not homosexuals
>we're just grateful and we choose to please him with our mouths
bwahahahahahahahaha

>>55307187
you dont even know how happy i am right now that you're posting like this

you're just making yourself look like a child lmao

>cuck license
No thanks.

>>55293726
Soon Anon... Soon

>>55303196

yeah, but virtualization bugs are much more rare than kernel bugs due to code size and hardware limitations.

>>55309201
Yeah but I think Theo's response was more of an embellished "fuck off and do it yourself".

I guess if someone does it on their own and they do it right, he'll accept it.

>>55290732
Because its made by a fat neet in his basement.

>>55309844
>I have no clue what we're discussing so I'll just post some total bullshit
Spotted the twelve year old