From owner-freebsd-questions@FreeBSD.ORG Wed Dec 15 23:56:45 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C641C106564A for ; Wed, 15 Dec 2010 23:56:45 +0000 (UTC) (envelope-from indexer@internode.on.net) Received: from mail.internode.on.net (bld-mail14.adl6.internode.on.net [150.101.137.99]) by mx1.freebsd.org (Postfix) with ESMTP id 176F58FC14 for ; Wed, 15 Dec 2010 23:56:44 +0000 (UTC) Received: from staff-251-101.wireless.adelaide.edu.au (unverified [129.127.251.101]) by mail.internode.on.net (SurgeMail 3.8f2) with ESMTP id 50501523-1927428 for multiple; Thu, 16 Dec 2010 10:26:43 +1030 (CDT) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Indexer In-Reply-To: <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> Date: Thu, 16 Dec 2010 10:26:35 +1030 Content-Transfer-Encoding: quoted-printable Message-Id: <0F9350BD-7156-474A-A7C0-5BBFF79E8EDF@internode.on.net> References: <20101215120036.DFC371065849@hub.freebsd.org> <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> To: Dave X-Pgp-Agent: GPGMail 1.3.1 X-Mailer: Apple Mail (2.1082) Cc: freebsd-questions@freebsd.org Subject: Re: Noob Jail question. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2010 23:56:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >=20 >=20 > SSH remote login for admin needs (But not for "root" login) Also = working=20 > well. Good! > I think I'd like to run Hiawatha in a Jail, as it seems "the right = thing=20 > to do" with something that will be exposed to the www. =20 > (Comments/advice?) - =46rom a security standpoint it makes sense, as it confines a malicous = user *if* they get in. >=20 > But, how do I arrange it to safely get (read only) access to the = website=20 > data, without preventing the FTPD service from having access to update=20= > that data. FTPD will only be reachable from LAN side of the main = gateway=20 > router, Hiawatha will have an outside world port forwarded to it by = the=20 > router. You notice the way jails work? they are essentially a fenced off part of = your filesystem. So your jail may live in /usr/jails on the host system. = You can access all the contents of the jail from the host of course. An easy answer to this would be something like, have a directory called = /var/www and have the FTPD write to that. Then mount /var/www as a = nullfs in read only mode to /usr/jails/var/www, and point your webserver = (which inside the jail is unaware of some of this) to /var/www (or to = the host, the /usr/jails/var/www) >=20 > What I'm asking I guess, is.. Can a jail'd app, reach outside the = jail=20 > in "read only" mode. (I suspect, maybe?) Or can an app outside the=20= > jail, drop stuff off inside the jail? (For whatever reason, I suspect=20= > not?) A jailed app cannot reach "outside" , this defeat the purpose. On the = other hand the host can "reach in" The best way to learn is to try, so setting it up on a dev machine is = probably the best way to go. Again, if you need more help, email this = list. Sincerely William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNCVW3AAoJEHF16AnLoz6JXo4P/Rg0+pdhxP8tiKeqSGi6n9dy hYj4KsnnG1diggB/+VI7tnffJqhm9HTqds9f+VXqx/YkTXNZirTBSbQtqAPz41Z6 FwAr1bAw5aUVQf8Pc80xsk9UMeI9L1wM7/rjRYRab1h6g8SBv2Gf/AZ4oLC3rO4C PQwigplntB/MIYMBrAsizpBar7f+sPPpftxlYAIl3s3prysja1KTOW4l+NDOPO4U OUQ2o5x4Gpbt/suhlrx/jjWhSRqyhwblN8DEXkwuIyR6HT9PuUOH05YDB1bg4nSs OW8N5ZD6VoTkcDP1kayBoD5kEcRQX4eji9LksTnsJoxXb4bers1JyT2wsAYZr5LC W45UEtvaHjidsP4mpnnaWMeHL7U89YEaUub8PtR3NYs2ky2A3stw2qKDemvQuP1q QntJVeq8VETig139aKjBcEs04NW/8MkEajKigkDFmUEoHpFfxAsIsIUZO6P0QElQ whcFTDLiq9IG+J+eeq3/YcykCWLJju1cnL0Nzah91L5GHTi866cR2vafP8aJN1/5 D2EQEoghbstIjgTtTBC5Y+csBDffzAS6MfjsJ0S8TC8fYBRSF5sAqQXAc3x/pNZ6 lw8GNgkAmLrrKMmRpbmnHJbGOs22udzfuqtEKMs+dme+L0xNeCuZSJGbxC2+CXtD qayfvD4Kqj8yK+vYMBAt =3D8A/f -----END PGP SIGNATURE-----