From owner-freebsd-questions@FreeBSD.ORG Wed May 12 10:40:27 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EE6216A4CE for ; Wed, 12 May 2004 10:40:27 -0700 (PDT) Received: from hobbiton.shire.net (hobbiton.shire.net [206.71.64.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F5C143D2D for ; Wed, 12 May 2004 10:40:26 -0700 (PDT) (envelope-from chad@shire.net) Received: from [67.161.247.57] (helo=[192.168.99.66]) by hobbiton.shire.net with asmtp (TLSv1:RC4-SHA:128) (Exim 4.10) id 1BNxiT-0007qj-00; Wed, 12 May 2004 11:40:25 -0600 In-Reply-To: <87ad0dwriy.fsf@strauser.com> References: <87ad0dwriy.fsf@strauser.com> Mime-Version: 1.0 (Apple Message framework v613) Message-Id: <70EE309A-A43B-11D8-A0B4-003065A70D30@shire.net> From: "Chad Leigh -- Shire.Net LLC" Date: Wed, 12 May 2004 11:40:21 -0600 To: Kirk Strauser X-Mailer: Apple Mail (2.613) Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on hobbiton.shire.net X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Level: cc: freebsd-questions@freebsd.org Subject: Re: read only system file systems for jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 17:40:27 -0000 On May 12, 2004, at 10:15 AM, Kirk Strauser wrote: > At 2004-05-12T05:31:41Z, "Chad Leigh -- Shire.Net LLC" > writes: > >> Is there a fundamental problem of having the following all be >> read-only >> file systems, with the noted exceptions? > > With the exception of /var (that you mentioned in another post), you > should > be fine. good deal. I have been running test jails like this for a while and it seemed to work. > >> note that users are not allowed root privilege and hence are not >> installing stuff into any of these hierarchies and no /usr/ports > > Out of curiosity, what are you using jails for? Create "virtual servers". Up to now I have been using them as I consolidated real HW onto one more powerful box[1] (since I pay by the rack unit :-), as well as I have a few customers who have their own jails that they run for whatever they want to do. Current production systems are 4.9 (and a 4.7) currently. Currently all jails have their own installs, which is a pita to admin for upgrades. With a single jail install, I can update one instance and restart the jails and get everyone updated. On my test system I am currently using localhost nfs mounting to remount the master jail directories. I am getting ready to deploy 5.x sometime this summer, hopefully 5.3-RELEASE, and want to virtualize all the users. So each virtual web host (with IP) will actually be running in its own jail, with its own instance of Roxen or apache running (out of one install though). No services except ssh should be running on the main HW, with only admin log-in, no customers, and all mail, web, customer, whatever, services will be running in "hardened" jails (hardened through the read only part). Additionally, I create file-backed mdXXX file systems and mount them for each jail, so the jail is self contained in its own file system. (And that enforces a quota by default on the user without having to run quota stuff). The idea is to make it a lot harder for potential hackers to take over the machine. Any cracked web or other services land them in a jail that should be hard to break out of and even harder to take advantage of since the main system directories are read only. I have not been hacked so far anyway, that I can tell (and I do regular checks with various utils), and want to make it that much harder. best Chad [1] we run more than one box but multiples that did not need to be separate have been consolidated down