Professional Web Applications Themes

looking for jail tutorial - FreeBSD

Hello, Running 5.3-p6 on a box with two NICs. I'm new to the list and FreeBSD in general. I'm trying to find more doentation on jail(8) than is offered in the man page. (I checked the Handbook but couldn't find anything about jails. Did I miss it?) For instance, the man page says: NOTE: It is important that only appropriate device nodes in devfs be exposed to a jail; access to disk devices in the jail may permit processes in the jail to bypass the jail sandboxing by modifying files outside of the jail. How do I know what the ...

  1. #1

    Default looking for jail tutorial

    Hello,

    Running 5.3-p6 on a box with two NICs.

    I'm new to the list and FreeBSD in general. I'm trying
    to find more doentation on jail(8) than is offered
    in the man page. (I checked the Handbook but couldn't
    find anything about jails. Did I miss it?) For
    instance, the man page says:

    NOTE: It is important that only appropriate device
    nodes in devfs be exposed to a jail; access to disk
    devices in the jail may permit processes in the jail
    to
    bypass the jail sandboxing by modifying files outside
    of the jail.

    How do I know what the "appropriate device nodes" are
    for a given jail? I want to run four jails: two
    webservers, DNS, mail. After testing, the DNS and
    email jails will be shutdown and the services moved to
    separate machines.
    Also, do I configure identical Hosts files on each?
    Should the jails be on different subnets for added
    security or can they all be on the same subnet as the
    host machine?
    Any help you can give would be appreciated!

    Thanx,

    Bill

    The word 'politics' describes the situation so well:
    'poli' meaning 'many' and 'tics' meaning 'blooding
    creatures'.






    __________________________________
    Do you Yahoo!?
    Make Yahoo! your home page
    http://www./r/hs
    Bill Guest

  2. #2

    Default RE: looking for jail tutorial

    You should search this lists archives for answers first.
    In the list archives I found this.

    http://subwiki.honeypot.net/cgi-bin/view/Freebsd/JailAdmin


    http://jailnotes.cg.nu/
     
    when 

    I won't say they are bright, but the ideas reflected in
    this layout are working well for me:

    /jails/ Home for most jail related material. Note I do not
    backup /jails every night as I do other partitions.
    (I do backup /data every night and you'll see below
    how I make use of that in a jail.)

    /jails is its own partition so if it fills, it will
    not cause problems for the host system.

    /jails/{jail_X}/
    The root for one specific jail. Of course if you
    have sets of jails, then /jails/jail_A/{cell_1,cell_2}
    and /jails/jail_B/{cell_10,cell_11} where cell_#
    is actually the root directory works well for
    keeping them well organized.

    /jails/etc/rc.d/
    Startup scripts (e.g. jail_X.sh) for all jails.

    If you augment $local_startup in /etc/rc.conf to
    include /jails/etc/rc.d then all the jails will be
    started automatically.

    /jails/bin/
    Jail management scripts.

    .../bin/JAIL_CTL.sh A generic start, stop, enter, trace,
    ps script. Each jail's startup
    script sets a bunch of environment
    variables and then calls JAIL_CTL.

    .../bin/jail_clone duplicates a jail.

    .../bin/jail_ps runs ps for all the processes in
    a specific jail.

    /jails/var/trace/
    Home for kdump traces of jail execution.

    /jails/template/
    A reference jail that I can clone in a few minutes
    time. Much easier then running (make world) every
    time I need a new jail.

    /data/jails/{jail_X}/
    If there is a /data/jails/{jail_X} present, then
    it is automatically mounted as /jails/{jail_X}/data
    when the jail is started. That way the /data
    directory in a jail can be treated separately then
    from the rest of the jail.

    One caveat if you do this. Multiple jails, each
    with their own uid space, will rapidly overlap in
    the host's uid space. To avoid this, my jail creation
    script hashes the jail's IP address to create a
    (relatively) unique starting point for that jail's
    uids. That starting uid is placed in the jail's
    /etc/adduser.conf as $uid_start. This minimizes the
    chances that uids will collide.

    /data/jails/{jail_X}/home/
    Symlink to /data/home (in the jail of course). If
    /data/jails/{jail_X} is mounted on the jail's /data,
    then the home partition in the jail is actually
    coming from /data of the host and therefore will
    be backed up on a regular basis.

    /data/jails/{jail_X}/proc/
    If it is present, then /proc is mounted on this
    directory when a jail is started and unmounted when
    it is stopped.

     
    drive 
    partition? 

    About all I can think of is to make a directory, and all its
    subordinate directories, owned by a specific user. You can
    then have per user quotas.

    For the specific example of /var/log, you'd have to set the
    user to be root_X. If you then set the user-ID-on-execution
    bit (see chmod(1) or chmod(2)) for /var/log so all new files
    and directories created under it would also be owned by root_X.

    I suspect you'd have to pre-populate your /var/log directory
    and chown everything to root_X. If you then change everything
    there to have world write permissions then root in the jail
    can update the files. Having world write access is a bad
    idea, but it's your trade-off to consider.

    managing passwd in a jailed env.
    Well i have the answer. just ran across the pw
    command, and looked it up. guess what i found.

    pw -V etcdir

    daoh!

    pw -V /usr/jail1/etc adduser bubba

    daoh, daoh!!

    pw -V /usr/jail1/etc usermod bubba -h 0
    New password for user bubba:

    dd if=/dev/daoh of=/dev/stdout bs=1048576 count=1

    so to some up, pw does everything i need to manage
    users in a jail, from outside of the jail.

    i knew there was something out there to do this with.






    -----Original Message-----
    From: org
    [mailto:org]On Behalf Of Bill Ding
    Sent: Sunday, April 03, 2005 7:23 PM
    To: org
    Subject: looking for jail tutorial

    Hello,

    Running 5.3-p6 on a box with two NICs.

    I'm new to the list and FreeBSD in general. I'm trying
    to find more doentation on jail(8) than is offered
    in the man page. (I checked the Handbook but couldn't
    find anything about jails. Did I miss it?) For
    instance, the man page says:

    NOTE: It is important that only appropriate device
    nodes in devfs be exposed to a jail; access to disk
    devices in the jail may permit processes in the jail
    to
    bypass the jail sandboxing by modifying files outside
    of the jail.

    How do I know what the "appropriate device nodes" are
    for a given jail? I want to run four jails: two
    webservers, DNS, mail. After testing, the DNS and
    email jails will be shutdown and the services moved to
    separate machines.
    Also, do I configure identical Hosts files on each?
    Should the jails be on different subnets for added
    security or can they all be on the same subnet as the
    host machine?
    Any help you can give would be appreciated!

    Thanx,

    Bill

    The word 'politics' describes the situation so well:
    'poli' meaning 'many' and 'tics' meaning 'blooding
    creatures'.






    __________________________________
    Do you Yahoo!?
    Make Yahoo! your home page
    http://www./r/hs
    _______________________________________________
    org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to
    "org"

    Guest

  3. #3

    Default Fwd: RE: looking for jail tutorial


    --- com wrote:
     
    > when 
    >[/ref]

    <snip> 
    Ding 

    Thanks for the response. I tried looking through the mail archives
    but the hits either more or less repeat the man page or deal with
    unrelated questions (or have nothing to do with jails at all).
    Also, I had already gone to both those sites, and neither answered
    my questions.

    Regards,

    Bill


    The word 'politics' describes the situation so well: 'poli' meaning 'many' and 'tics' meaning 'blooding creatures'.

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.
    Bill Guest

Similar Threads

  1. Jail security
    By Frank in forum FreeBSD
    Replies: 3
    Last Post: March 7th, 08:48 PM
  2. Replies: 2
    Last Post: February 17th, 07:46 PM
  3. WZ2K Tutorial Update - Latest Dynamic Dreamweaver video tutorial
    By Psmeg in forum Macromedia Dreamweaver
    Replies: 0
    Last Post: June 26th, 08:29 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139