From owner-freebsd-questions@freebsd.org Thu Dec 3 07:44:53 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF1DDA3EE6C for ; Thu, 3 Dec 2015 07:44:53 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 83D761303 for ; Thu, 3 Dec 2015 07:44:53 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de (port-92-195-76-245.dynamic.qsc.de [92.195.76.245]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id B748A276CA; Thu, 3 Dec 2015 08:39:26 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id tB37dQi8004590; Thu, 3 Dec 2015 08:39:26 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 3 Dec 2015 08:39:26 +0100 From: Polytropon To: Aleksandr Miroslav Cc: freebsd-questions@freebsd.org Subject: Re: best practice for locking down private jail? Message-Id: <20151203083926.72ad74db.freebsd@edvax.de> In-Reply-To: References: Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2015 07:44:53 -0000 On Wed, 2 Dec 2015 21:52:59 -0800, Aleksandr Miroslav wrote: > On Wed, Dec 2, 2015 at 9:44 PM, Aleksandr Miroslav > wrote: > > - from the example.org machine, outside the jail, i setup httpd to > > serve files only from > > /usr/jails/privatejail/usr/home/joeblow/audiofiles > [...] > > can I tell Apache to only serve up mp3 files of name > > lecture-num.mp3 or something like that? > > Thinking about this some more. I think instead of having apache point > to the jail directly, I setup a cron job on the host that calls a > script that runs every 5 minutes or so, and copies only mp3 files of > some pattern-matched name to the host system, and then only that is > served up by apache. That would work better I think. It would have to > be a cron job on the host, I don't think I can have a script from > inside the private jail call something directly on the host. Make sure no incomplete files are being processed. You can even write a script that first checks that the user "joeblow" is currently _not_ logged in (or not performing a scp transfer), so incomplete files can be avoided, and then have this script copy the files from his home (upload) directory to a different directory for Apache to serve from; in this script, you can also force a certain pattern for files: those that do not match won't be copied. In this case, even if "joeblow" acidentally (or someone else intendedly) deletes the content of his $HOME, the files to be served will still be intact in a location that this user cannot access. Oh, and regarding SSH with keys: You can force keys _and_ a password. Educate the user what a secure password is, and make him understand "password hygiene". So even if someone is able to get his SSH keys, the attacker cannot get access without the password (which is to be provided interactively, not stored in plain text in some configuration or history file, of course). Just a few suggestions. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...