Date: Thu, 22 Sep 2005 17:51:02 -0700 From: =?ISO-8859-1?Q?Malachi_de_=C6lfweald?= <malachid@gmail.com> To: Frank.Mueller@emendis.de Cc: Elliot Crosby-McCullough <freebsd@xianshi.org>, freebsd-questions@freebsd.org Subject: Re: Requesting advice on Jail technique. Message-ID: <c090347a05092217516ce9506d@mail.gmail.com> In-Reply-To: <4326DC58.1090806@emendis.de> References: <4326D764.1040402@xianshi.org> <4326DC58.1090806@emendis.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I am thinking at this point what I am going to try to do is build a jail skeleton, then use unionfs to mount on top of that... so in theory, I could save a LOT of space while at the same time giving them pretty complete jail= s (one per domain). Malachi On 9/13/05, Frank Mueller - emendis GmbH <Frank.Mueller@emendis.de> wrote: > > Hi there, > > if you have enough system resources I would recommend using seperate > jails for every user. > All u have to keep in mind is that you won't be able to provide some > services (SMTP, POP, IMAP, usw.) more than once for the whole system > because they need a predefined port (25, 110, 443, usw.). > Some other services, like ssh u can manage through port forwarding, http > through virtual hosting, etc. > Separate jails make it much easier to keep track of activities. > It all depends on what applications the user should be able to use. > > Greetz, > > Ice > > Elliot Crosby-McCullough schrieb: > > Dear all, > > > > I will shortly be creating a public service on a private box that > > will include shell access to untrusted users and would like your opinio= n > > on the best way to go about this. > > > > Obviously jails are a good start, but my main concern is whether to > > go for one large jail for all the restricted users or one small jail pe= r > > user. > > > > I do not have a wealth of real IPs at my disposal but accountability > > and security is paramount, therefore I would like to use local IPs > > through NAT (within the one box) whilst retaining the translation logs. > > I would like to use one local IP per user in order to keep track of > > activity. I can afford a few real IPs for the purpose. > > > > The accounts themselves will be supremely limited. No root access, > > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > > users to have the ability to run any scripts, so perl etc is out, but I > > suppose the NAT firewall will be a fallback if any compiled programs ar= e > > uploaded. > > > > Each user account is likely to have email/gpg etc but I'm happy to > > control that from the host system with virtual users and simply deliver > > into the jail. It is not necessary for the jails to run any services, > > except the ability to SSH in. > > > > As you can see there are factors pulling in both directions, what > > would you recommend as the best direction to go? > > > > Sincerely, > > Elliot Crosby-McCullough > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > -- > Frank Mueller > eMail: Frank.Mueller@emendis.de > Mobil: +49.177.6858655 > Fax: +49.951.3039342 > > emendis GmbH > Hofmannstr. 89, 91052 Erlangen, Germany > Fon: +49.9131.817361 > Fax: +49.9131.817386 > > Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger > Sitz Erlangen, Amtsgericht Fuerth HRB 10116 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c090347a05092217516ce9506d>