Date: Thu, 16 Dec 2010 10:26:35 +1030 From: Indexer <indexer@internode.on.net> To: Dave <dave@g8kbv.demon.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Noob Jail question. Message-ID: <0F9350BD-7156-474A-A7C0-5BBFF79E8EDF@internode.on.net> In-Reply-To: <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> References: <20101215120036.DFC371065849@hub.freebsd.org> <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >=20 >=20 > SSH remote login for admin needs (But not for "root" login) Also = working=20 > well. Good! > I think I'd like to run Hiawatha in a Jail, as it seems "the right = thing=20 > to do" with something that will be exposed to the www. =20 > (Comments/advice?) - =46rom a security standpoint it makes sense, as it confines a malicous = user *if* they get in. >=20 > But, how do I arrange it to safely get (read only) access to the = website=20 > data, without preventing the FTPD service from having access to update=20= > that data. FTPD will only be reachable from LAN side of the main = gateway=20 > router, Hiawatha will have an outside world port forwarded to it by = the=20 > router. You notice the way jails work? they are essentially a fenced off part of = your filesystem. So your jail may live in /usr/jails on the host system. = You can access all the contents of the jail from the host of course. An easy answer to this would be something like, have a directory called = /var/www and have the FTPD write to that. Then mount /var/www as a = nullfs in read only mode to /usr/jails/var/www, and point your webserver = (which inside the jail is unaware of some of this) to /var/www (or to = the host, the /usr/jails/var/www) >=20 > What I'm asking I guess, is.. Can a jail'd app, reach outside the = jail=20 > in "read only" mode. (I suspect, maybe?) Or can an app outside the=20= > jail, drop stuff off inside the jail? (For whatever reason, I suspect=20= > not?) A jailed app cannot reach "outside" , this defeat the purpose. On the = other hand the host can "reach in" The best way to learn is to try, so setting it up on a dev machine is = probably the best way to go. Again, if you need more help, email this = list. Sincerely William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNCVW3AAoJEHF16AnLoz6JXo4P/Rg0+pdhxP8tiKeqSGi6n9dy hYj4KsnnG1diggB/+VI7tnffJqhm9HTqds9f+VXqx/YkTXNZirTBSbQtqAPz41Z6 FwAr1bAw5aUVQf8Pc80xsk9UMeI9L1wM7/rjRYRab1h6g8SBv2Gf/AZ4oLC3rO4C PQwigplntB/MIYMBrAsizpBar7f+sPPpftxlYAIl3s3prysja1KTOW4l+NDOPO4U OUQ2o5x4Gpbt/suhlrx/jjWhSRqyhwblN8DEXkwuIyR6HT9PuUOH05YDB1bg4nSs OW8N5ZD6VoTkcDP1kayBoD5kEcRQX4eji9LksTnsJoxXb4bers1JyT2wsAYZr5LC W45UEtvaHjidsP4mpnnaWMeHL7U89YEaUub8PtR3NYs2ky2A3stw2qKDemvQuP1q QntJVeq8VETig139aKjBcEs04NW/8MkEajKigkDFmUEoHpFfxAsIsIUZO6P0QElQ whcFTDLiq9IG+J+eeq3/YcykCWLJju1cnL0Nzah91L5GHTi866cR2vafP8aJN1/5 D2EQEoghbstIjgTtTBC5Y+csBDffzAS6MfjsJ0S8TC8fYBRSF5sAqQXAc3x/pNZ6 lw8GNgkAmLrrKMmRpbmnHJbGOs22udzfuqtEKMs+dme+L0xNeCuZSJGbxC2+CXtD qayfvD4Kqj8yK+vYMBAt =3D8A/f -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0F9350BD-7156-474A-A7C0-5BBFF79E8EDF>