From owner-freebsd-questions@FreeBSD.ORG Tue Oct 13 15:37:32 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 034C91065694 for ; Tue, 13 Oct 2009 15:37:32 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-yw0-f197.google.com (mail-yw0-f197.google.com [209.85.211.197]) by mx1.freebsd.org (Postfix) with ESMTP id B09138FC0A for ; Tue, 13 Oct 2009 15:37:31 +0000 (UTC) Received: by ywh35 with SMTP id 35so33202762ywh.7 for ; Tue, 13 Oct 2009 08:37:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=F1nQ+xVQxCNDDiJfUXnp6pnAjv3Vt6HDUeZrBHEzRhI=; b=dhTNPaGj5lH+cfsck6q4hUycF8+IC7BYsaFUwKNZ8K/HxB/YUqJ2ztheZ4kAVYQxji 7lyr0hceK3UvtBnIIM2D1yf5qz7K5dBIkm63vdK1SsqjFE6ygOgDTowJ4gwmmebEw8Fu 2pTDBoF3ztaWAT3IIN1gL/m/PHUGCie/wh/8M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=IcrdSgqMkzzdz6hDwH6H2qLwQ1W0jgDKpejJ5A304pSqNoWlQWuuiOp5+AEmBOwLWq yL3hkT0LqoVIaI05PtGHuowOfcBvmnfakRgka/rfZnzlFyNMA/0ruJ9XnMbdfzWgu1XF TTGndYgk1bIspV6EtCHIdIe/pcVGb3/kfDOtM= MIME-Version: 1.0 Received: by 10.239.179.91 with SMTP id c27mr508530hbg.51.1255448250240; Tue, 13 Oct 2009 08:37:30 -0700 (PDT) In-Reply-To: <815964.80537.qm@web51104.mail.re2.yahoo.com> References: <815964.80537.qm@web51104.mail.re2.yahoo.com> Date: Tue, 13 Oct 2009 16:37:30 +0100 Message-ID: From: krad To: Dino Vliet Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: freebsd jail: web and database server config questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2009 15:37:32 -0000 2009/10/13 Dino Vliet > > Dear Freebsd people, > > To consolditae on resources I have configured a machine to run both a web > and database server (powering my database driven website). > > Due to security concerns I'm contemplating on introducing a jailed > environment on this machine and want to know if this would be feasible. I > have a few questions for the freebsd community regarding this approach and > hope someone would give me some advice. > > Is it advisable/wise/okay/clever to run a webserver on my host system and a > database server on my jailed system? The webserver will need to connect to > the database system on startup and update the database based on client > access. > > However, if a machine gets compromised, it would rather be the webserver, > therefore running the webserver in the jailed environment seems better to > me. But how could that be done, if the webserver requires to connect through > tcp/ip to the database server running on the host system? I thought that a > key-feature of a jailed system is that it can't access resources outside the > jail. > > And how do I go around when I need to update my host system due to a > security advisory. I heard the jailed environment will not be affected? So > basically that means I would need to create a new jail everytime I recompile > (as that's the way I'm using to stay current) > > Hope to hear from you, > Brgds > Dino > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > ok jail updates are fairly easy to get around. The way I have dont it for years is to nullfs the host systems /usr into the jail(s) as ro. I also had a copy of /lib /bin /libexec and /sbin under /usr/jailbins. The said dirs in the jails were then sym links to the relevent dir in jailbins eg $ ls -ltr ; pwd drwxr-xr-x 20 root wheel 107 Jun 25 2008 etc drwxr-xr-x 2 root wheel 46 Sep 23 10:21 bin drwxr-xr-x 3 root wheel 106 Sep 23 10:21 lib drwxr-xr-x 2 root wheel 139 Sep 23 10:22 sbin drwxr-xr-x 2 root wheel 6 Sep 23 10:23 libexec /usr/jailbins $ ls -ltr /jails/clamav/root/ | grep "\->" lrwxrwxrwx 1 root wheel 11 Apr 1 2006 sys -> usr/src/sys lrwxrwxrwx 1 root wheel 18 Apr 1 2006 sbin -> /usr/jailbins/sbin lrwxrwxrwx 1 root wheel 21 Apr 1 2006 libexec -> /usr/jailbins/libexec lrwxrwxrwx 1 root wheel 17 Apr 1 2006 lib -> /usr/jailbins/lib lrwxrwxrwx 1 root wheel 17 Apr 1 2006 bin -> /usr/jailbins/bin from fstab /usr /jails/clamav/root/usr nullfs ro 2 0 /jails/clamav/usr.etc /jails/clamav/root/usr/local/etc nullfs ro 2 0 the 2nd line means each jail can have its own dedicated local rc, but it cant be modified from within the jail I then stuck these lines in rc.local on the host system to keep the jailbins update /usr/local/bin/rsync -aH /bin/ /usr/jailbins/bin/ /usr/local/bin/rsync -aH /sbin/ /usr/jailbins/sbin/ /usr/local/bin/rsync -aH /lib/ /usr/jailbins/lib/ /usr/local/bin/rsync -aH /libexec/ /usr/jailbins/libexec/ now when i do a makeworld on the host system the jails inherit everything. You might not always want to do this, but i never had any serious issues. Sticking mysql and apache in jails is fairly straight forward after that, just get them to communicate over ip and make sure you wrap the db internally, and with tcpwrappers and pf/ipf/ipfw You could also look at mod_jail for apache. It looks like it lets you run apache whithout the hassle of setting up a full jailed environment. I havent used it myself though but would be interested to see how others have faired with it. There are also good tools like ezjail with will automate a lot of the jail process for you.