From owner-freebsd-questions@FreeBSD.ORG Fri Sep 23 00:51:03 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A68F116A41F for ; Fri, 23 Sep 2005 00:51:03 +0000 (GMT) (envelope-from malachid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 078EA43D46 for ; Fri, 23 Sep 2005 00:51:02 +0000 (GMT) (envelope-from malachid@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so8240nzd for ; Thu, 22 Sep 2005 17:51:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=LyG6PtaGbDlkaayrdnS5olJZeNw0+ScKBBiBD8WsuG/I3oTMY7Ffk0wgwglGyqbF4dqr+NvaTNsrJ/nxKsBRQz1Ul75YLTKP4SMAXKrj+nIKMvLY/yrsYewo2poK2a+w+RoisFqh9xSlMHEnD2TRDQDFVS9k1j1hPFDNBAw2kfc= Received: by 10.54.103.8 with SMTP id a8mr3483582wrc; Thu, 22 Sep 2005 17:51:02 -0700 (PDT) Received: by 10.54.79.1 with HTTP; Thu, 22 Sep 2005 17:51:02 -0700 (PDT) Message-ID: Date: Thu, 22 Sep 2005 17:51:02 -0700 From: =?ISO-8859-1?Q?Malachi_de_=C6lfweald?= To: Frank.Mueller@emendis.de In-Reply-To: <4326DC58.1090806@emendis.de> MIME-Version: 1.0 References: <4326D764.1040402@xianshi.org> <4326DC58.1090806@emendis.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Elliot Crosby-McCullough , freebsd-questions@freebsd.org Subject: Re: Requesting advice on Jail technique. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Malachi_de_=C6lfweald?= List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 00:51:03 -0000 I am thinking at this point what I am going to try to do is build a jail skeleton, then use unionfs to mount on top of that... so in theory, I could save a LOT of space while at the same time giving them pretty complete jail= s (one per domain). Malachi On 9/13/05, Frank Mueller - emendis GmbH wrote: > > Hi there, > > if you have enough system resources I would recommend using seperate > jails for every user. > All u have to keep in mind is that you won't be able to provide some > services (SMTP, POP, IMAP, usw.) more than once for the whole system > because they need a predefined port (25, 110, 443, usw.). > Some other services, like ssh u can manage through port forwarding, http > through virtual hosting, etc. > Separate jails make it much easier to keep track of activities. > It all depends on what applications the user should be able to use. > > Greetz, > > Ice > > Elliot Crosby-McCullough schrieb: > > Dear all, > > > > I will shortly be creating a public service on a private box that > > will include shell access to untrusted users and would like your opinio= n > > on the best way to go about this. > > > > Obviously jails are a good start, but my main concern is whether to > > go for one large jail for all the restricted users or one small jail pe= r > > user. > > > > I do not have a wealth of real IPs at my disposal but accountability > > and security is paramount, therefore I would like to use local IPs > > through NAT (within the one box) whilst retaining the translation logs. > > I would like to use one local IP per user in order to keep track of > > activity. I can afford a few real IPs for the purpose. > > > > The accounts themselves will be supremely limited. No root access, > > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > > users to have the ability to run any scripts, so perl etc is out, but I > > suppose the NAT firewall will be a fallback if any compiled programs ar= e > > uploaded. > > > > Each user account is likely to have email/gpg etc but I'm happy to > > control that from the host system with virtual users and simply deliver > > into the jail. It is not necessary for the jails to run any services, > > except the ability to SSH in. > > > > As you can see there are factors pulling in both directions, what > > would you recommend as the best direction to go? > > > > Sincerely, > > Elliot Crosby-McCullough > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > -- > Frank Mueller > eMail: Frank.Mueller@emendis.de > Mobil: +49.177.6858655 > Fax: +49.951.3039342 > > emendis GmbH > Hofmannstr. 89, 91052 Erlangen, Germany > Fon: +49.9131.817361 > Fax: +49.9131.817386 > > Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger > Sitz Erlangen, Amtsgericht Fuerth HRB 10116 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >