Re: Requesting advice on Jail technique.

2005-09-23 Thread Malachi de Ælfweald 
I would like to provide as complete of a system as possible to the
jail/domain owners What specifically do I need to ensure they DON'T have
access to? And if I give them access to the ports collection, how do I
prevent them from just installing said binaries anyways?

Another thing I was thinking... if I go forward with the unionfs, say, for
the ports collection itself -- each jail could have their own configuration
files, etc... but should I make the distfiles directory get updated so that
we don't get huge amounts of that space replicated?

Malachi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Requesting advice on Jail technique.

2005-09-23 Thread sd 

Hello,

I use different jails for nearly each network service I have to privide: 
httpd, smtp/pop3, squid, log collector.
It's quite difficult to build each particular jail with those programs 
and corresponding libraries which will be needed in it. That is why I 
made the following simple script to make a jail and to add needed 
programs to it (you will have to change the absolute pathes):


#!/bin/sh

docommand() {
LDD=/usr/bin/ldd
MD=/bin/mkdir
TMP=`which $TGT`
DP=`dirname $TMP`
DF=$DSTDIR$DP/`basename $TMP`

TMPSTAT=`stat $TMP | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DP ] && [ ! -f $DF ]
then
cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
if ( test "$TMPSTAT" != "$DFSTAT" )
then
echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
fi
else
$MD -p $DSTDIR$DP && cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
if ( test "$TMPSTAT" != "$DFSTAT" )
then
echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
fi
fi

for aa in `ldd $TMP | grep -v ":" | awk '{ print $3 }'`
do
DRNAME=`dirname $aa`
DF1=$DSTDIR$DRNAME/`basename $aa`
AASTAT=`stat $aa | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DRNAME ] && [ ! -f $DF1 ]
then
cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
if ( test "$AASTAT" != "$DF1STAT" )
then
echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
fi
else
$MD -p $DSTDIR$DRNAME && cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
if ( test "$AASTAT" != "$DF1STAT" )
then
echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
fi
fi
done
};


echo "where you want base dir to be?"
read DSTDIR
echo $DSTDIR
if ( test "$DSTDIR" = "" )
then
DSTDIR=/usr/home
echo $DSTDIR
#elseif [ ! -d $DSTDIR ]
#then
#mkdir -p $DSTDIR
else
if [ ! -d $DSTDIR ]
then
mkdir -p $DSTDIR
fi
fi

echo "how do you want to call this jail?"
read JDIR
echo $JDIR
if ( test "$JDIR" != "" ) then DSTDIR=$DSTDIR/$JDIR; fi;
if ( test "$JDIR" = "" )
then
JDIR=10.10.10.10
DSTDIR=$DSTDIR/$JDIR
fi
echo $JDIR
if [ ! -d $DSTDIR ]
then
mkdir -p $DSTDIR
echo "DEST: $DSTDIR"
mkdir $DSTDIR/dev && echo "Please copy devices!!!"
cp /dev/null $DSTDIR/dev/
echo 'Write "yes" after'
read y;
 if ( test "$y" != "yes" ); then exit 0; fi
#	for  in fd net kmem log mem null random stderr stdin stdout 
urandom zero

#   do
#   cp /dev/$ $DSTDIR/$JDIR/dev/
#   done
mkdir $DSTDIR/bin
mkdir $DSTDIR/etc
mkdir $DSTDIR/lib
mkdir $DSTDIR/libexec && cp /libexec/ld-elf.so.1 $DSTDIR/libexec/
mkdir $DSTDIR/home
mkdir $DSTDIR/proc
mkdir $DSTDIR/tmp
mkdir $DSTDIR/usr
mkdir $DSTDIR/var
mkdir $DSTDIR/var/run
cd $DSTDIR && ln -s dev/null ./kernel
for TGT in sh mail syslogd newsyslog cron
do
docommand;
done
fi
echo "what programs d'you want to copy?"
read TGT
echo $TGT
if ( test "$TGT" = "" )
then
exit 0;
else docommand;
fi
exit 0;


Another one to see the processes in different jails:
IFS='
'
mount -t procfs proc /proc
ii=1
i=5
for i in `ps -ajxfw | grep "J" | grep -v grep`
do
 uid=`echo $i|awk '{ print $1 }'`
 pid=`echo $i|awk '{ print $2 }'`
 pnam=`echo $i|awk '{ print $10 }'`
  if (test $ii -ne 1) then
   =`readlink /proc/$pid/file | awk -F'/' '{ print $4 }'`
   iii=`echo $ | awk -F'.' '{ print $4 }'`
echo "ii= $iii"
exit 0;
if (test "$iii" = "buk") then
 i=2
fi
if (test "$iii" = "198") then
 i=4
fi
if (test "$iii" = "220") then
     i=5
    fi
if (test "$iii" = "222") then
 i=6
fi
   if ( test "$1" = x) then
   echo -e "\033[1;1;4${i}m${}, ${pid}:\033[2;0m"\
   `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'`   $uid\
   `lsof -nn -p ${pid} | grep "IPv4" | awk '{ print $8, $9, $12 }'`
   else
#   echo -e "\033[1;1;42m$, $pid:\033[2;0m"\
   echo -e "\033[1;1;4${i}m${}, ${pid}:\033[2;0m"\
   `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'`   $uid
   fi
  fi
ii=`expr $ii + 1`
done

umount p

Re: Requesting advice on Jail technique.

2005-09-22 Thread Chad Leigh -- Shire.Net LLC 


On Sep 22, 2005, at 6:51 PM, Malachi de Ælfweald wrote:

I am thinking at this point what I am going to try to do is build a  
jail
skeleton, then use unionfs to mount on top of that... so in theory,  
I could
save a LOT of space while at the same time giving them pretty  
complete jails

(one per domain).
 Malachi


What I did was set up a master jail (that is never actually booted)  
and use nullfs to mount pieces of that inside each separate jail  
(mostly read only as well, which provides some security as well as  
hacked jails cannot have their system executables changed since they  
reside in a read only space).  I did not use unionfs.  I have one  
submaster jail which has a writable /usr with a nullfs mounty (was  
using localhost nfs before that) so I can install new stuff inside of  
that.


Here is an example

/dev/md1910 on /local/jails/intentcenter (ufs, local, synchronous,  
soft-updates)
/local/jails/master/bin on /local/jails/intentcenter/bin (nullfs,  
local, read-only)
/local/jails/master/lib on /local/jails/intentcenter/lib (nullfs,  
local, read-only)
/local/jails/master/libexec on /local/jails/intentcenter/libexec  
(nullfs, local, read-only)
/local/jails/master/sbin on /local/jails/intentcenter/sbin (nullfs,  
local, read-only)
/local/jails/master/usr on /local/jails/intentcenter/usr (nullfs,  
local, read-only)

procfs on /local/jails/intentcenter/proc (procfs, local)
devfs on /local/jails/intentcenter/dev (devfs, local)

(continued below)



 On 9/13/05, Frank Mueller - emendis GmbH  
<[EMAIL PROTECTED]> wrote:




Hi there,

if you have enough system resources I would recommend using seperate
jails for every user.
All u have to keep in mind is that you won't be able to provide some
services (SMTP, POP, IMAP, usw.) more than once for the whole system
because they need a predefined port (25, 110, 443, usw.).


Sure you can.  Each separate IP, and each jail has its own IP, has  
its own set of ports.  I run a single server with 40 jails and they  
have their own imap, smtp, etc in each (as required --- most don't as  
it is not required but it works fine) without any port forwarding or  
any funny games.


Some other services, like ssh u can manage through port  
forwarding, http

through virtual hosting, etc.


see above -- all my jails (almost) all have their own apache running  
inside)



Separate jails make it much easier to keep track of activities.


yes

Chad


It all depends on what applications the user should be able to use.

Greetz,

Ice

Elliot Crosby-McCullough schrieb:


Dear all,

I will shortly be creating a public service on a private box that
will include shell access to untrusted users and would like your  
opinion

on the best way to go about this.

Obviously jails are a good start, but my main concern is whether to
go for one large jail for all the restricted users or one small  
jail per

user.

I do not have a wealth of real IPs at my disposal but accountability
and security is paramount, therefore I would like to use local IPs
through NAT (within the one box) whilst retaining the translation  
logs.

I would like to use one local IP per user in order to keep track of
activity. I can afford a few real IPs for the purpose.

The accounts themselves will be supremely limited. No root access,
just basics such as ssh, perhaps telnet, mutt etc. I do not want the
users to have the ability to run any scripts, so perl etc is out,  
but I
suppose the NAT firewall will be a fallback if any compiled  
programs are

uploaded.

Each user account is likely to have email/gpg etc but I'm happy to
control that from the host system with virtual users and simply  
deliver
into the jail. It is not necessary for the jails to run any  
services,

except the ability to SSH in.

As you can see there are factors pulling in both directions, what
would you recommend as the best direction to go?

Sincerely,
Elliot Crosby-McCullough
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"



--
Frank Mueller
eMail: [EMAIL PROTECTED]
Mobil: +49.177.6858655
Fax: +49.951.3039342

emendis GmbH
Hofmannstr. 89, 91052 Erlangen, Germany
Fon: +49.9131.817361
Fax: +49.9131.817386

Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
Sitz Erlangen, Amtsgericht Fuerth HRB 10116
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
[EMAIL PROTECTED]"



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
[EMAIL PROTECTED]


___
freebsd-questi

Re: Requesting advice on Jail technique.

2005-09-22 Thread Malachi de Ælfweald 
I am thinking at this point what I am going to try to do is build a jail
skeleton, then use unionfs to mount on top of that... so in theory, I could
save a LOT of space while at the same time giving them pretty complete jails
(one per domain).
 Malachi

 On 9/13/05, Frank Mueller - emendis GmbH <[EMAIL PROTECTED]> wrote:
>
> Hi there,
>
> if you have enough system resources I would recommend using seperate
> jails for every user.
> All u have to keep in mind is that you won't be able to provide some
> services (SMTP, POP, IMAP, usw.) more than once for the whole system
> because they need a predefined port (25, 110, 443, usw.).
> Some other services, like ssh u can manage through port forwarding, http
> through virtual hosting, etc.
> Separate jails make it much easier to keep track of activities.
> It all depends on what applications the user should be able to use.
>
> Greetz,
>
> Ice
>
> Elliot Crosby-McCullough schrieb:
> > Dear all,
> >
> > I will shortly be creating a public service on a private box that
> > will include shell access to untrusted users and would like your opinion
> > on the best way to go about this.
> >
> > Obviously jails are a good start, but my main concern is whether to
> > go for one large jail for all the restricted users or one small jail per
> > user.
> >
> > I do not have a wealth of real IPs at my disposal but accountability
> > and security is paramount, therefore I would like to use local IPs
> > through NAT (within the one box) whilst retaining the translation logs.
> > I would like to use one local IP per user in order to keep track of
> > activity. I can afford a few real IPs for the purpose.
> >
> > The accounts themselves will be supremely limited. No root access,
> > just basics such as ssh, perhaps telnet, mutt etc. I do not want the
> > users to have the ability to run any scripts, so perl etc is out, but I
> > suppose the NAT firewall will be a fallback if any compiled programs are
> > uploaded.
> >
> > Each user account is likely to have email/gpg etc but I'm happy to
> > control that from the host system with virtual users and simply deliver
> > into the jail. It is not necessary for the jails to run any services,
> > except the ability to SSH in.
> >
> > As you can see there are factors pulling in both directions, what
> > would you recommend as the best direction to go?
> >
> > Sincerely,
> > Elliot Crosby-McCullough
> > ___
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "[EMAIL PROTECTED]"
>
> --
> Frank Mueller
> eMail: [EMAIL PROTECTED]
> Mobil: +49.177.6858655
> Fax: +49.951.3039342
>
> emendis GmbH
> Hofmannstr. 89, 91052 Erlangen, Germany
> Fon: +49.9131.817361
> Fax: +49.9131.817386
>
> Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
> Sitz Erlangen, Amtsgericht Fuerth HRB 10116
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> [EMAIL PROTECTED]"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Requesting advice on Jail technique.

2005-09-13 Thread Frank Mueller - emendis GmbH 

Hi there,

if you have enough system resources I would recommend using seperate 
jails for every user.
All u have to keep in mind is that you won't be able to provide some 
services (SMTP, POP, IMAP, usw.) more than once for the whole system 
because they need a predefined port (25, 110, 443, usw.).
Some other services, like ssh u can manage through port forwarding, http 
through virtual hosting, etc.

Separate jails make it much easier to keep track of activities.
It all depends on what applications the user should be able to use.

Greetz,

Ice

Elliot Crosby-McCullough schrieb:

Dear all,

I will shortly be creating a public service on a private box that 
will include shell access to untrusted users and would like your opinion 
on the best way to go about this.


Obviously jails are a good start, but my main concern is whether to 
go for one large jail for all the restricted users or one small jail per 
user.


I do not have a wealth of real IPs at my disposal but accountability 
and security is paramount, therefore I would like to use local IPs 
through NAT (within the one box) whilst retaining the translation logs. 
 I would like to use one local IP per user in order to keep track of 
activity.  I can afford a few real IPs for the purpose.


The accounts themselves will be supremely limited.  No root access, 
just basics such as ssh, perhaps telnet, mutt etc.  I do not want the 
users to have the ability to run any scripts, so perl etc is out, but I 
suppose the NAT firewall will be a fallback if any compiled programs are 
uploaded.


Each user account is likely to have email/gpg etc but I'm happy to 
control that from the host system with virtual users and simply deliver 
into the jail.  It is not necessary for the jails to run any services, 
except the ability to SSH in.


As you can see there are factors pulling in both directions, what 
would you recommend as the best direction to go?


Sincerely,
Elliot Crosby-McCullough
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"


--
Frank Mueller
eMail: [EMAIL PROTECTED]
Mobil: +49.177.6858655
Fax: +49.951.3039342

emendis GmbH
Hofmannstr. 89, 91052 Erlangen, Germany
Fon: +49.9131.817361
Fax: +49.9131.817386

Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
Sitz Erlangen, Amtsgericht Fuerth HRB 10116
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Requesting advice on Jail technique.

2005-09-13 Thread albi 
On Tue, 13 Sep 2005 14:43:00 +0100
Elliot Crosby-McCullough <[EMAIL PROTECTED]> wrote:


>   Obviously jails are a good start, but my main concern is whether to go 
> for one large jail for all the restricted users or one small jail per user.
-- cut --
>   The accounts themselves will be supremely limited.  No root access, 
> just basics such as ssh, perhaps telnet, mutt etc.  I do not want the 
> users to have the ability to run any scripts, so perl etc is out, but I 
> suppose the NAT firewall will be a fallback if any compiled programs are 
> uploaded.
> 
>   Each user account is likely to have email/gpg etc but I'm happy to 
> control that from the host system with virtual users and simply deliver 
> into the jail.  It is not necessary for the jails to run any services, 
> except the ability to SSH in.

you could follow the ideas i've used, http://scii.nl/~albi/BSD/new.txt
(this is part of an "unfinished howto")

the idea is that you make a build-jail to build all the ports,
the /bin /sbin /usr/bin /usr/sbin get mounted via nullfs from the host,
which basically means that you only have to do the "make installworld"
once, only for the host-system

the build-jail software then get mounted (as much or less if you like)
from the jails, and of course you can limit their access by changing
permissions on the /bin dirs etc. or just giving them their needed
binaries hard-linked in their ~/bin

you can try the new chroot-option from the latest openssh-portable for
them (and disable the base-ssh), although i have personally not played
with that option yet

making separate ssh-jails for them is possible with ip_aliases, no real
ip's needed

HTH

-- 
grtjs, albi
gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Requesting advice on Jail technique.

2005-09-13 Thread Malachi de Ælfweald 
I have been getting ready to do one-jail per domain myself. The key though 
is that if you want to support any port (and specifically things like ssh) 
they have to have a public IP address (or 1:1 NAT)... ie: if the ssh server 
is running under each jail, you need to know my IP address which one to log 
into it.

You could probably get away with not doing that if they had to ssh into 1 
public IP address; and have a login script that auto-ssh's to a different ip 
on the local network from there ... but that will take a lot more work.

For security, I would say you want multiple jails -- since any one logging 
in can screw the rest -- but that is going to be dependant on how many IPs 
you want to purchase.

Malachi

On 9/13/05, Elliot Crosby-McCullough <[EMAIL PROTECTED]> wrote:
> 
> Dear all,
> 
> I will shortly be creating a public service on a private box that will
> include shell access to untrusted users and would like your opinion on
> the best way to go about this.
> 
> Obviously jails are a good start, but my main concern is whether to go
> for one large jail for all the restricted users or one small jail per 
> user.
> 
> I do not have a wealth of real IPs at my disposal but accountability
> and security is paramount, therefore I would like to use local IPs
> through NAT (within the one box) whilst retaining the translation logs.
> I would like to use one local IP per user in order to keep track of
> activity. I can afford a few real IPs for the purpose.
> 
> The accounts themselves will be supremely limited. No root access,
> just basics such as ssh, perhaps telnet, mutt etc. I do not want the
> users to have the ability to run any scripts, so perl etc is out, but I
> suppose the NAT firewall will be a fallback if any compiled programs are
> uploaded.
> 
> Each user account is likely to have email/gpg etc but I'm happy to
> control that from the host system with virtual users and simply deliver
> into the jail. It is not necessary for the jails to run any services,
> except the ability to SSH in.
> 
> As you can see there are factors pulling in both directions, what would
> you recommend as the best direction to go?
> 
> Sincerely,
> Elliot Crosby-McCullough
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> [EMAIL PROTECTED]"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Requesting advice on Jail technique.

2005-09-13 Thread Mike Hernandez 
I think one jail for them all would be the only option, think if you
have 10+  users that's a lot of copies of binaries and libs. You might
want to look into jailkit:

http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html

I've used it on linux before but never bsd. 

Good luck!

Mike
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Requesting advice on Jail technique.

2005-09-13 Thread Elliot Crosby-McCullough 

Dear all,

	I will shortly be creating a public service on a private box that will 
include shell access to untrusted users and would like your opinion on 
the best way to go about this.


	Obviously jails are a good start, but my main concern is whether to go 
for one large jail for all the restricted users or one small jail per user.


	I do not have a wealth of real IPs at my disposal but accountability 
and security is paramount, therefore I would like to use local IPs 
through NAT (within the one box) whilst retaining the translation logs. 
 I would like to use one local IP per user in order to keep track of 
activity.  I can afford a few real IPs for the purpose.


	The accounts themselves will be supremely limited.  No root access, 
just basics such as ssh, perhaps telnet, mutt etc.  I do not want the 
users to have the ability to run any scripts, so perl etc is out, but I 
suppose the NAT firewall will be a fallback if any compiled programs are 
uploaded.


	Each user account is likely to have email/gpg etc but I'm happy to 
control that from the host system with virtual users and simply deliver 
into the jail.  It is not necessary for the jails to run any services, 
except the ability to SSH in.


	As you can see there are factors pulling in both directions, what would 
you recommend as the best direction to go?


Sincerely,
Elliot Crosby-McCullough
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"