From owner-freebsd-questions@freebsd.org  Thu Dec  3 07:55:19 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F98FA3F2B3
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu,  3 Dec 2015 07:55:19 +0000 (UTC)
 (envelope-from steve@sohara.org)
Received: from uk1mail2513.mymailbank.co.uk
 (UK1MAIL2513-PERMANET.IE.mymailbank.co.uk [217.69.47.44])
 by mx1.freebsd.org (Postfix) with ESMTP id F0C871BF6
 for <freebsd-questions@freebsd.org>; Thu,  3 Dec 2015 07:55:18 +0000 (UTC)
 (envelope-from steve@sohara.org)
Received: from smtp.lan.sohara.org (UnknownHost [88.151.27.41]) by
 uk1mail2513-d.mymailbank.co.uk with SMTP; 
 Thu, 3 Dec 2015 07:39:15 +0000
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
 by smtp.lan.sohara.org with smtp (Exim 4.85 (FreeBSD))
 (envelope-from <steve@sohara.org>) id 1a4OU8-0003WY-6w
 for freebsd-questions@freebsd.org; Thu, 03 Dec 2015 07:39:24 +0000
Date: Thu, 3 Dec 2015 07:39:23 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: freebsd-questions@freebsd.org
Subject: Re: best practice for locking down private jail?
Message-Id: <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org>
In-Reply-To: <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com>
References: <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com>
X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.28; amd64-portbld-freebsd10.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 07:55:19 -0000

On Wed, 2 Dec 2015 21:44:01 -0800
Aleksandr Miroslav <alexmiroslav@gmail.com> wrote:

> So I'm setting up a server for a friend who wants to upload audio
> files and have them served up via http. i.e. He uploads lecture.mp3 to
> example.org, and wants people to be able to access it via
> http://example.org/audio/lecture.mp3.
> 
> He's somewhat tech savvy, but I'm being super paranoid about security,

	I'll jump in here. If you are serious about locking this down as
tight as possible then don't use Apache, use a minimalist web server that
can only serve static files (thttpd can be set up this way - there are
others). I would set up two jails - one as the upload jail the other the
web server and use a cron job on the host to move verified mp3 files (not
just by name use file at least) into the directory served by the web
server. Both jails stripped down so they pretty much can't do anything else.
FInally I'd use pf to lock down the traffic so that nothing gets to the
jails that shouldn't. I'm a firm believer that security starts by removing
the capabilities that you don't need - if it's not there it can't be
compromised, so ideally run applications in jails not complete system
images.

-- 
Steve O'Hara-Smith <steve@sohara.org>