Re: Requesting advice on Jail technique.
I would like to provide as complete of a system as possible to the jail/domain owners What specifically do I need to ensure they DON'T have access to? And if I give them access to the ports collection, how do I prevent them from just installing said binaries anyways? Another thing I was thinking... if I go forward with the unionfs, say, for the ports collection itself -- each jail could have their own configuration files, etc... but should I make the distfiles directory get updated so that we don't get huge amounts of that space replicated? Malachi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Requesting advice on Jail technique.
Hello, I use different jails for nearly each network service I have to privide: httpd, smtp/pop3, squid, log collector. It's quite difficult to build each particular jail with those programs and corresponding libraries which will be needed in it. That is why I made the following simple script to make a jail and to add needed programs to it (you will have to change the absolute pathes): #!/bin/sh docommand() { LDD=/usr/bin/ldd MD=/bin/mkdir TMP=`which $TGT` DP=`dirname $TMP` DF=$DSTDIR$DP/`basename $TMP` TMPSTAT=`stat $TMP | awk '{ print $3, $5, $6 }'` if [ -d $DSTDIR$DP ] && [ ! -f $DF ] then cp $TMP $DSTDIR$DP DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'` if ( test "$TMPSTAT" != "$DFSTAT" ) then echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF fi else $MD -p $DSTDIR$DP && cp $TMP $DSTDIR$DP DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'` if ( test "$TMPSTAT" != "$DFSTAT" ) then echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF fi fi for aa in `ldd $TMP | grep -v ":" | awk '{ print $3 }'` do DRNAME=`dirname $aa` DF1=$DSTDIR$DRNAME/`basename $aa` AASTAT=`stat $aa | awk '{ print $3, $5, $6 }'` if [ -d $DSTDIR$DRNAME ] && [ ! -f $DF1 ] then cp $aa $DSTDIR$DRNAME DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'` if ( test "$AASTAT" != "$DF1STAT" ) then echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1 fi else $MD -p $DSTDIR$DRNAME && cp $aa $DSTDIR$DRNAME DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'` if ( test "$AASTAT" != "$DF1STAT" ) then echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1 fi fi done }; echo "where you want base dir to be?" read DSTDIR echo $DSTDIR if ( test "$DSTDIR" = "" ) then DSTDIR=/usr/home echo $DSTDIR #elseif [ ! -d $DSTDIR ] #then #mkdir -p $DSTDIR else if [ ! -d $DSTDIR ] then mkdir -p $DSTDIR fi fi echo "how do you want to call this jail?" read JDIR echo $JDIR if ( test "$JDIR" != "" ) then DSTDIR=$DSTDIR/$JDIR; fi; if ( test "$JDIR" = "" ) then JDIR=10.10.10.10 DSTDIR=$DSTDIR/$JDIR fi echo $JDIR if [ ! -d $DSTDIR ] then mkdir -p $DSTDIR echo "DEST: $DSTDIR" mkdir $DSTDIR/dev && echo "Please copy devices!!!" cp /dev/null $DSTDIR/dev/ echo 'Write "yes" after' read y; if ( test "$y" != "yes" ); then exit 0; fi # for in fd net kmem log mem null random stderr stdin stdout urandom zero # do # cp /dev/$ $DSTDIR/$JDIR/dev/ # done mkdir $DSTDIR/bin mkdir $DSTDIR/etc mkdir $DSTDIR/lib mkdir $DSTDIR/libexec && cp /libexec/ld-elf.so.1 $DSTDIR/libexec/ mkdir $DSTDIR/home mkdir $DSTDIR/proc mkdir $DSTDIR/tmp mkdir $DSTDIR/usr mkdir $DSTDIR/var mkdir $DSTDIR/var/run cd $DSTDIR && ln -s dev/null ./kernel for TGT in sh mail syslogd newsyslog cron do docommand; done fi echo "what programs d'you want to copy?" read TGT echo $TGT if ( test "$TGT" = "" ) then exit 0; else docommand; fi exit 0; Another one to see the processes in different jails: IFS=' ' mount -t procfs proc /proc ii=1 i=5 for i in `ps -ajxfw | grep "J" | grep -v grep` do uid=`echo $i|awk '{ print $1 }'` pid=`echo $i|awk '{ print $2 }'` pnam=`echo $i|awk '{ print $10 }'` if (test $ii -ne 1) then =`readlink /proc/$pid/file | awk -F'/' '{ print $4 }'` iii=`echo $ | awk -F'.' '{ print $4 }'` echo "ii= $iii" exit 0; if (test "$iii" = "buk") then i=2 fi if (test "$iii" = "198") then i=4 fi if (test "$iii" = "220") then i=5 fi if (test "$iii" = "222") then i=6 fi if ( test "$1" = x) then echo -e "\033[1;1;4${i}m${}, ${pid}:\033[2;0m"\ `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid\ `lsof -nn -p ${pid} | grep "IPv4" | awk '{ print $8, $9, $12 }'` else # echo -e "\033[1;1;42m$, $pid:\033[2;0m"\ echo -e "\033[1;1;4${i}m${}, ${pid}:\033[2;0m"\ `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid fi fi ii=`expr $ii + 1` done umount p
Re: Requesting advice on Jail technique.
On Sep 22, 2005, at 6:51 PM, Malachi de Ælfweald wrote: I am thinking at this point what I am going to try to do is build a jail skeleton, then use unionfs to mount on top of that... so in theory, I could save a LOT of space while at the same time giving them pretty complete jails (one per domain). Malachi What I did was set up a master jail (that is never actually booted) and use nullfs to mount pieces of that inside each separate jail (mostly read only as well, which provides some security as well as hacked jails cannot have their system executables changed since they reside in a read only space). I did not use unionfs. I have one submaster jail which has a writable /usr with a nullfs mounty (was using localhost nfs before that) so I can install new stuff inside of that. Here is an example /dev/md1910 on /local/jails/intentcenter (ufs, local, synchronous, soft-updates) /local/jails/master/bin on /local/jails/intentcenter/bin (nullfs, local, read-only) /local/jails/master/lib on /local/jails/intentcenter/lib (nullfs, local, read-only) /local/jails/master/libexec on /local/jails/intentcenter/libexec (nullfs, local, read-only) /local/jails/master/sbin on /local/jails/intentcenter/sbin (nullfs, local, read-only) /local/jails/master/usr on /local/jails/intentcenter/usr (nullfs, local, read-only) procfs on /local/jails/intentcenter/proc (procfs, local) devfs on /local/jails/intentcenter/dev (devfs, local) (continued below) On 9/13/05, Frank Mueller - emendis GmbH <[EMAIL PROTECTED]> wrote: Hi there, if you have enough system resources I would recommend using seperate jails for every user. All u have to keep in mind is that you won't be able to provide some services (SMTP, POP, IMAP, usw.) more than once for the whole system because they need a predefined port (25, 110, 443, usw.). Sure you can. Each separate IP, and each jail has its own IP, has its own set of ports. I run a single server with 40 jails and they have their own imap, smtp, etc in each (as required --- most don't as it is not required but it works fine) without any port forwarding or any funny games. Some other services, like ssh u can manage through port forwarding, http through virtual hosting, etc. see above -- all my jails (almost) all have their own apache running inside) Separate jails make it much easier to keep track of activities. yes Chad It all depends on what applications the user should be able to use. Greetz, Ice Elliot Crosby-McCullough schrieb: Dear all, I will shortly be creating a public service on a private box that will include shell access to untrusted users and would like your opinion on the best way to go about this. Obviously jails are a good start, but my main concern is whether to go for one large jail for all the restricted users or one small jail per user. I do not have a wealth of real IPs at my disposal but accountability and security is paramount, therefore I would like to use local IPs through NAT (within the one box) whilst retaining the translation logs. I would like to use one local IP per user in order to keep track of activity. I can afford a few real IPs for the purpose. The accounts themselves will be supremely limited. No root access, just basics such as ssh, perhaps telnet, mutt etc. I do not want the users to have the ability to run any scripts, so perl etc is out, but I suppose the NAT firewall will be a fallback if any compiled programs are uploaded. Each user account is likely to have email/gpg etc but I'm happy to control that from the host system with virtual users and simply deliver into the jail. It is not necessary for the jails to run any services, except the ability to SSH in. As you can see there are factors pulling in both directions, what would you recommend as the best direction to go? Sincerely, Elliot Crosby-McCullough ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Frank Mueller eMail: [EMAIL PROTECTED] Mobil: +49.177.6858655 Fax: +49.951.3039342 emendis GmbH Hofmannstr. 89, 91052 Erlangen, Germany Fon: +49.9131.817361 Fax: +49.9131.817386 Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger Sitz Erlangen, Amtsgericht Fuerth HRB 10116 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider [EMAIL PROTECTED] ___ freebsd-questi
Re: Requesting advice on Jail technique.
I am thinking at this point what I am going to try to do is build a jail skeleton, then use unionfs to mount on top of that... so in theory, I could save a LOT of space while at the same time giving them pretty complete jails (one per domain). Malachi On 9/13/05, Frank Mueller - emendis GmbH <[EMAIL PROTECTED]> wrote: > > Hi there, > > if you have enough system resources I would recommend using seperate > jails for every user. > All u have to keep in mind is that you won't be able to provide some > services (SMTP, POP, IMAP, usw.) more than once for the whole system > because they need a predefined port (25, 110, 443, usw.). > Some other services, like ssh u can manage through port forwarding, http > through virtual hosting, etc. > Separate jails make it much easier to keep track of activities. > It all depends on what applications the user should be able to use. > > Greetz, > > Ice > > Elliot Crosby-McCullough schrieb: > > Dear all, > > > > I will shortly be creating a public service on a private box that > > will include shell access to untrusted users and would like your opinion > > on the best way to go about this. > > > > Obviously jails are a good start, but my main concern is whether to > > go for one large jail for all the restricted users or one small jail per > > user. > > > > I do not have a wealth of real IPs at my disposal but accountability > > and security is paramount, therefore I would like to use local IPs > > through NAT (within the one box) whilst retaining the translation logs. > > I would like to use one local IP per user in order to keep track of > > activity. I can afford a few real IPs for the purpose. > > > > The accounts themselves will be supremely limited. No root access, > > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > > users to have the ability to run any scripts, so perl etc is out, but I > > suppose the NAT firewall will be a fallback if any compiled programs are > > uploaded. > > > > Each user account is likely to have email/gpg etc but I'm happy to > > control that from the host system with virtual users and simply deliver > > into the jail. It is not necessary for the jails to run any services, > > except the ability to SSH in. > > > > As you can see there are factors pulling in both directions, what > > would you recommend as the best direction to go? > > > > Sincerely, > > Elliot Crosby-McCullough > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > -- > Frank Mueller > eMail: [EMAIL PROTECTED] > Mobil: +49.177.6858655 > Fax: +49.951.3039342 > > emendis GmbH > Hofmannstr. 89, 91052 Erlangen, Germany > Fon: +49.9131.817361 > Fax: +49.9131.817386 > > Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger > Sitz Erlangen, Amtsgericht Fuerth HRB 10116 > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Requesting advice on Jail technique.
Hi there, if you have enough system resources I would recommend using seperate jails for every user. All u have to keep in mind is that you won't be able to provide some services (SMTP, POP, IMAP, usw.) more than once for the whole system because they need a predefined port (25, 110, 443, usw.). Some other services, like ssh u can manage through port forwarding, http through virtual hosting, etc. Separate jails make it much easier to keep track of activities. It all depends on what applications the user should be able to use. Greetz, Ice Elliot Crosby-McCullough schrieb: Dear all, I will shortly be creating a public service on a private box that will include shell access to untrusted users and would like your opinion on the best way to go about this. Obviously jails are a good start, but my main concern is whether to go for one large jail for all the restricted users or one small jail per user. I do not have a wealth of real IPs at my disposal but accountability and security is paramount, therefore I would like to use local IPs through NAT (within the one box) whilst retaining the translation logs. I would like to use one local IP per user in order to keep track of activity. I can afford a few real IPs for the purpose. The accounts themselves will be supremely limited. No root access, just basics such as ssh, perhaps telnet, mutt etc. I do not want the users to have the ability to run any scripts, so perl etc is out, but I suppose the NAT firewall will be a fallback if any compiled programs are uploaded. Each user account is likely to have email/gpg etc but I'm happy to control that from the host system with virtual users and simply deliver into the jail. It is not necessary for the jails to run any services, except the ability to SSH in. As you can see there are factors pulling in both directions, what would you recommend as the best direction to go? Sincerely, Elliot Crosby-McCullough ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Frank Mueller eMail: [EMAIL PROTECTED] Mobil: +49.177.6858655 Fax: +49.951.3039342 emendis GmbH Hofmannstr. 89, 91052 Erlangen, Germany Fon: +49.9131.817361 Fax: +49.9131.817386 Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger Sitz Erlangen, Amtsgericht Fuerth HRB 10116 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Requesting advice on Jail technique.
On Tue, 13 Sep 2005 14:43:00 +0100 Elliot Crosby-McCullough <[EMAIL PROTECTED]> wrote: > Obviously jails are a good start, but my main concern is whether to go > for one large jail for all the restricted users or one small jail per user. -- cut -- > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. > > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. you could follow the ideas i've used, http://scii.nl/~albi/BSD/new.txt (this is part of an "unfinished howto") the idea is that you make a build-jail to build all the ports, the /bin /sbin /usr/bin /usr/sbin get mounted via nullfs from the host, which basically means that you only have to do the "make installworld" once, only for the host-system the build-jail software then get mounted (as much or less if you like) from the jails, and of course you can limit their access by changing permissions on the /bin dirs etc. or just giving them their needed binaries hard-linked in their ~/bin you can try the new chroot-option from the latest openssh-portable for them (and disable the base-ssh), although i have personally not played with that option yet making separate ssh-jails for them is possible with ip_aliases, no real ip's needed HTH -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Requesting advice on Jail technique.
I have been getting ready to do one-jail per domain myself. The key though is that if you want to support any port (and specifically things like ssh) they have to have a public IP address (or 1:1 NAT)... ie: if the ssh server is running under each jail, you need to know my IP address which one to log into it. You could probably get away with not doing that if they had to ssh into 1 public IP address; and have a login script that auto-ssh's to a different ip on the local network from there ... but that will take a lot more work. For security, I would say you want multiple jails -- since any one logging in can screw the rest -- but that is going to be dependant on how many IPs you want to purchase. Malachi On 9/13/05, Elliot Crosby-McCullough <[EMAIL PROTECTED]> wrote: > > Dear all, > > I will shortly be creating a public service on a private box that will > include shell access to untrusted users and would like your opinion on > the best way to go about this. > > Obviously jails are a good start, but my main concern is whether to go > for one large jail for all the restricted users or one small jail per > user. > > I do not have a wealth of real IPs at my disposal but accountability > and security is paramount, therefore I would like to use local IPs > through NAT (within the one box) whilst retaining the translation logs. > I would like to use one local IP per user in order to keep track of > activity. I can afford a few real IPs for the purpose. > > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. > > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. > > As you can see there are factors pulling in both directions, what would > you recommend as the best direction to go? > > Sincerely, > Elliot Crosby-McCullough > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Requesting advice on Jail technique.
I think one jail for them all would be the only option, think if you have 10+ users that's a lot of copies of binaries and libs. You might want to look into jailkit: http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html I've used it on linux before but never bsd. Good luck! Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Requesting advice on Jail technique.
Dear all, I will shortly be creating a public service on a private box that will include shell access to untrusted users and would like your opinion on the best way to go about this. Obviously jails are a good start, but my main concern is whether to go for one large jail for all the restricted users or one small jail per user. I do not have a wealth of real IPs at my disposal but accountability and security is paramount, therefore I would like to use local IPs through NAT (within the one box) whilst retaining the translation logs. I would like to use one local IP per user in order to keep track of activity. I can afford a few real IPs for the purpose. The accounts themselves will be supremely limited. No root access, just basics such as ssh, perhaps telnet, mutt etc. I do not want the users to have the ability to run any scripts, so perl etc is out, but I suppose the NAT firewall will be a fallback if any compiled programs are uploaded. Each user account is likely to have email/gpg etc but I'm happy to control that from the host system with virtual users and simply deliver into the jail. It is not necessary for the jails to run any services, except the ability to SSH in. As you can see there are factors pulling in both directions, what would you recommend as the best direction to go? Sincerely, Elliot Crosby-McCullough ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"