Those familiar with Java recognize the security concept of a sandbox. For those that aren't, it's the concept that everyone gets a unique, well-equipped sandbox to play in, and a person in one sandbox isn't allowed into anyone else's sandbox, not even to share anything with anyone else.. . .
Those familiar with Java recognize the security concept of a sandbox. For those that aren't, it's the concept that everyone gets a unique, well-equipped sandbox to play in, and a person in one sandbox isn't allowed into anyone else's sandbox, not even to share anything with anyone else. On FreeBSD, jails implement this concept -- they keep processes in their own part of the system, denying access to anything else. A jail requires its own dedicated IP address, though, which can make life difficult for those with limited address space. If this presents you with a hardship, consider at least using chroot. It won't afford you as much security, but it does help.

How does this help security? Take, for example, a box with an external FTP server and the company extranet. An exploit for the server is discovered, and a cracker manages to gain root access through the FTP daemon. If the FTP server is not run in a sandbox or jail, the cracker will have access to everything on the machine, including sensitive information destined for the company's partners through the extranet. If, however, the FTP server is run in a jail, the cracker will only have access to the FTP files.