From owner-freebsd-questions@FreeBSD.ORG Fri Sep 23 12:27:01 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08AA916A41F for ; Fri, 23 Sep 2005 12:27:01 +0000 (GMT) (envelope-from sd@buc.com.ua) Received: from relay3.sitel.com.ua (pitt.sitel.com.ua [217.27.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CBE243D45 for ; Fri, 23 Sep 2005 12:26:59 +0000 (GMT) (envelope-from sd@buc.com.ua) Received: from arrow.buc.com.ua (arrow.buc.com.ua [217.27.145.61]) by relay3.sitel.com.ua (8.12.9p2/8.12.9) with ESMTP id j8NCQn9P021792 for ; Fri, 23 Sep 2005 15:26:50 +0300 (EEST) (envelope-from sd@buc.com.ua) Received: by arrow.buc.com.ua (Postfix, from userid 85) id 4C93CA12A1; Fri, 23 Sep 2005 15:31:15 +0300 (EEST) Received: from [192.168.13.97] (unknown [192.168.13.97]) by arrow.buc.com.ua (Postfix) with ESMTP id 1AB2FA129B for ; Fri, 23 Sep 2005 15:31:15 +0300 (EEST) Message-ID: <43341EB2.1050306@buc.com.ua> Date: Fri, 23 Sep 2005 15:26:42 +0000 From: sd User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: uk, en-us, ru MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20050923120059.2A61F16A421@hub.freebsd.org> In-Reply-To: <20050923120059.2A61F16A421@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Requesting advice on Jail technique. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 12:27:01 -0000 Hello, I use different jails for nearly each network service I have to privide: httpd, smtp/pop3, squid, log collector. It's quite difficult to build each particular jail with those programs and corresponding libraries which will be needed in it. That is why I made the following simple script to make a jail and to add needed programs to it (you will have to change the absolute pathes): #!/bin/sh docommand() { LDD=/usr/bin/ldd MD=/bin/mkdir TMP=`which $TGT` DP=`dirname $TMP` DF=$DSTDIR$DP/`basename $TMP` TMPSTAT=`stat $TMP | awk '{ print $3, $5, $6 }'` if [ -d $DSTDIR$DP ] && [ ! -f $DF ] then cp $TMP $DSTDIR$DP DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'` if ( test "$TMPSTAT" != "$DFSTAT" ) then echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF fi else $MD -p $DSTDIR$DP && cp $TMP $DSTDIR$DP DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'` if ( test "$TMPSTAT" != "$DFSTAT" ) then echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF fi fi for aa in `ldd $TMP | grep -v ":" | awk '{ print $3 }'` do DRNAME=`dirname $aa` DF1=$DSTDIR$DRNAME/`basename $aa` AASTAT=`stat $aa | awk '{ print $3, $5, $6 }'` if [ -d $DSTDIR$DRNAME ] && [ ! -f $DF1 ] then cp $aa $DSTDIR$DRNAME DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'` if ( test "$AASTAT" != "$DF1STAT" ) then echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1 fi else $MD -p $DSTDIR$DRNAME && cp $aa $DSTDIR$DRNAME DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'` if ( test "$AASTAT" != "$DF1STAT" ) then echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1 fi fi done }; echo "where you want base dir to be?" read DSTDIR echo $DSTDIR if ( test "$DSTDIR" = "" ) then DSTDIR=/usr/home echo $DSTDIR # elseif [ ! -d $DSTDIR ] # then # mkdir -p $DSTDIR else if [ ! -d $DSTDIR ] then mkdir -p $DSTDIR fi fi echo "how do you want to call this jail?" read JDIR echo $JDIR if ( test "$JDIR" != "" ) then DSTDIR=$DSTDIR/$JDIR; fi; if ( test "$JDIR" = "" ) then JDIR=10.10.10.10 DSTDIR=$DSTDIR/$JDIR fi echo $JDIR if [ ! -d $DSTDIR ] then mkdir -p $DSTDIR echo "DEST: $DSTDIR" mkdir $DSTDIR/dev && echo "Please copy devices!!!" cp /dev/null $DSTDIR/dev/ echo 'Write "yes" after' read y; if ( test "$y" != "yes" ); then exit 0; fi # for iiii in fd net kmem log mem null random stderr stdin stdout urandom zero # do # cp /dev/$iiii $DSTDIR/$JDIR/dev/ # done mkdir $DSTDIR/bin mkdir $DSTDIR/etc mkdir $DSTDIR/lib mkdir $DSTDIR/libexec && cp /libexec/ld-elf.so.1 $DSTDIR/libexec/ mkdir $DSTDIR/home mkdir $DSTDIR/proc mkdir $DSTDIR/tmp mkdir $DSTDIR/usr mkdir $DSTDIR/var mkdir $DSTDIR/var/run cd $DSTDIR && ln -s dev/null ./kernel for TGT in sh mail syslogd newsyslog cron do docommand; done fi echo "what programs d'you want to copy?" read TGT echo $TGT if ( test "$TGT" = "" ) then exit 0; else docommand; fi exit 0; Another one to see the processes in different jails: IFS=' ' mount -t procfs proc /proc ii=1 iiiii=5 for i in `ps -ajxfw | grep "J" | grep -v grep` do uid=`echo $i|awk '{ print $1 }'` pid=`echo $i|awk '{ print $2 }'` pnam=`echo $i|awk '{ print $10 }'` if (test $ii -ne 1) then iiii=`readlink /proc/$pid/file | awk -F'/' '{ print $4 }'` iii=`echo $iiii | awk -F'.' '{ print $4 }'` echo "ii= $iii" exit 0; if (test "$iii" = "buk") then iiiii=2 fi if (test "$iii" = "198") then iiiii=4 fi if (test "$iii" = "220") then iiiii=5 fi if (test "$iii" = "222") then iiiii=6 fi if ( test "$1" = x) then echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\ `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid\ `lsof -nn -p ${pid} | grep "IPv4" | awk '{ print $8, $9, $12 }'` else # echo -e "\033[1;1;42m$iiii, $pid:\033[2;0m"\ echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\ `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid fi fi ii=`expr $ii + 1` done umount procfs > ate: Thu, 22 Sep 2005 17:51:02 -0700 > From: Malachi de ?lfweald > Subject: Re: Requesting advice on Jail technique. > To: Frank.Mueller@emendis.de > Cc: Elliot Crosby-McCullough , > freebsd-questions@freebsd.org > Message-ID: > Content-Type: text/plain; charset=ISO-8859-1 > > I am thinking at this point what I am going to try to do is build a jail > skeleton, then use unionfs to mount on top of that... so in theory, I could > save a LOT of space while at the same time giving them pretty complete jails > (one per domain). > Malachi > > On 9/13/05, Frank Mueller - emendis GmbH wrote: > >>> >>> Hi there, >>> >>> if you have enough system resources I would recommend using seperate >>> jails for every user. >>> All u have to keep in mind is that you won't be able to provide some >>> services (SMTP, POP, IMAP, usw.) more than once for the whole system >>> because they need a predefined port (25, 110, 443, usw.). >>> Some other services, like ssh u can manage through port forwarding, http >>> through virtual hosting, etc. >>> Separate jails make it much easier to keep track of activities. >>> It all depends on what applications the user should be able to use. >>> >>> Greetz, >>> >>> Ice >>> >>> Elliot Crosby-McCullough schrieb: >> >>>> > Dear all, >>>> > >>>> > I will shortly be creating a public service on a private box that >>>> > will include shell access to untrusted users and would like your opinion >>>> > on the best way to go about this. >>>> > >>>> > Obviously jails are a good start, but my main concern is whether to >>>> > go for one large jail for all the restricted users or one small jail per >>>> > user. >>>> > >>>> > I do not have a wealth of real IPs at my disposal but accountability >>>> > and security is paramount, therefore I would like to use local IPs >>>> > through NAT (within the one box) whilst retaining the translation logs. >>>> > I would like to use one local IP per user in order to keep track of >>>> > activity. I can afford a few real IPs for the purpose. >>>> > >>>> > The accounts themselves will be supremely limited. No root access, >>>> > just basics such as ssh, perhaps telnet, mutt etc. I do not want the >>>> > users to have the ability to run any scripts, so perl etc is out, but I >>>> > suppose the NAT firewall will be a fallback if any compiled programs are >>>> > uploaded. >>>> > >>>> > Each user account is likely to have email/gpg etc but I'm happy to >>>> > control that from the host system with virtual users and simply deliver >>>> > into the jail. It is not necessary for the jails to run any services, >>>> > except the ability to SSH in. >>>> > >>>> > As you can see there are factors pulling in both directions, what >>>> > would you recommend as the best direction to go? >>>> > >>>> > Sincerely, >>>> > Elliot Crosby-McCullough >>>> > _______________________________________________ >>>> > freebsd-questions@freebsd.org mailing list >>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> > To unsubscribe, send any mail to >>>> > "freebsd-questions-unsubscribe@freebsd.org" >> >>> >>> -- >>> Frank Mueller >>> eMail: Frank.Mueller@emendis.de >>> Mobil: +49.177.6858655 >>> Fax: +49.951.3039342 >>> >>> emendis GmbH >>> Hofmannstr. 89, 91052 Erlangen, Germany >>> Fon: +49.9131.817361 >>> Fax: +49.9131.817386 >>> >>> Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger >>> Sitz Erlangen, Amtsgericht Fuerth HRB 10116 >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> > > >