From owner-freebsd-questions@freebsd.org  Thu Dec 10 15:02:53 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CB6F9D6825
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu, 10 Dec 2015 15:02:53 +0000 (UTC)
 (envelope-from steve@sohara.org)
Received: from uk1mail2513.mymailbank.co.uk
 (UK1MAIL2513-PERMANET.IE.mymailbank.co.uk [217.69.47.44])
 by mx1.freebsd.org (Postfix) with ESMTP id 7F92F19F4
 for <freebsd-questions@freebsd.org>; Thu, 10 Dec 2015 15:02:51 +0000 (UTC)
 (envelope-from steve@sohara.org)
Received: from smtp.lan.sohara.org (UnknownHost [88.151.27.41]) by
 uk1mail2513-d.mymailbank.co.uk with SMTP; 
 Thu, 10 Dec 2015 15:02:26 +0000
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
 by smtp.lan.sohara.org with smtp (Exim 4.85 (FreeBSD))
 (envelope-from <steve@sohara.org>)
 id 1a72jj-000Ir4-0o; Thu, 10 Dec 2015 15:02:27 +0000
Date: Thu, 10 Dec 2015 15:02:24 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Michael Firnau <mfi@tf.uni-kiel.de>
Cc: Aleksandr Miroslav <alexmiroslav@gmail.com>, freebsd-questions@freebsd.org
Subject: Re: best practice for locking down private jail?
Message-Id: <20151210150224.18d842126bf67bb0b07dcdf6@sohara.org>
In-Reply-To: <20151210144007.GA23555@fanty-a.tf.uni-kiel.de>
References: <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com>
 <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org>
 <CACcSE1zhMLnbo+bOixOM_ZLBpP+szbmzfFH_12v36ezy34fs9g@mail.gmail.com>
 <20151210144007.GA23555@fanty-a.tf.uni-kiel.de>
X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.28; amd64-portbld-freebsd10.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 15:02:53 -0000

On Thu, 10 Dec 2015 15:40:08 +0100
Michael Firnau <mfi@tf.uni-kiel.de> wrote:

> On Thu, Dec 03, 2015 at 06:45:16PM -0800, Aleksandr Miroslav wrote:
> > On Wed, Dec 2, 2015 at 11:39 PM, Steve O'Hara-Smith <steve@sohara.org>
> > wrote:
> > > I would set up two jails - one as the upload jail the other the web
> > > server and use a cron job on the host to move verified mp3 files
> > 
> > Excellent advice, I will do just that.
> 
> I think the cron job isn't needed. Create a directory outside the jails
> and mount it as nullfs and 'rw' into the upload jail and 'ro' into the
> web server jail. We do this on a zfs basis.

	That works of course, but loses the opportunity to verify the files
before putting them online.

-- 
Steve O'Hara-Smith <steve@sohara.org>