From owner-freebsd-questions@FreeBSD.ORG Thu Dec 16 13:39:17 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5949D106564A for ; Thu, 16 Dec 2010 13:39:17 +0000 (UTC) (envelope-from bsam@ns.kfs.ru) Received: from ns.kfs.ru (kfs.kfs.ru [194.186.81.194]) by mx1.freebsd.org (Postfix) with ESMTP id 06D948FC19 for ; Thu, 16 Dec 2010 13:39:16 +0000 (UTC) Received: from bsam by ns.kfs.ru with local (Exim 4.67 (FreeBSD)) (envelope-from ) id 1PTDO1-000EEz-45; Thu, 16 Dec 2010 15:56:45 +0300 To: "Dave" References: <20101215120036.DFC371065849@hub.freebsd.org> <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> From: Boris Samorodov Date: Thu, 16 Dec 2010 15:56:44 +0300 In-Reply-To: <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> (dave@g8kbv.demon.co.uk's message of "Wed\, 15 Dec 2010 23\:32\:20 -0000") Message-ID: <47419283@serv3.int.kfs.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: "Boris B. Samorodov" Cc: freebsd-questions@freebsd.org Subject: Re: Noob Jail question. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2010 13:39:17 -0000 "Dave" writes: > I've been reading the FreeBSD Manual (a dangerous thing to do during > lunchtimes!) relating to Jails. Other than making my head spin, I'm > finding it a tad dificult finding out just what you can/cant do with a > Jail. Mainly, because I'm not familiar with a lot of the terms used, and > though the man pages are no doubt correct as a reference, they don't > "explain" it well, in as much as how to use it, well in my addled mind at > the moment. > > I think I'd like to run Hiawatha in a Jail, as it seems "the right thing > to do" with something that will be exposed to the www. > (Comments/advice?) > > But, how do I arrange it to safely get (read only) access to the website > data, without preventing the FTPD service from having access to update > that data. FTPD will only be reachable from LAN side of the main gateway > router, Hiawatha will have an outside world port forwarded to it by the > router. > > What I'm asking I guess, is.. Can a jail'd app, reach outside the jail > in "read only" mode. (I suspect, maybe?) Or can an app outside the > jail, drop stuff off inside the jail? (For whatever reason, I suspect > not?) > > If anyone understands what the heck I'm blathering on about, please > explain it to me, as I think I've lost the plot. > > Comments, advice, brickbats etc? You may try to use sysutils/ezjail to install/manage/etc jails. Using ezjail-admin is quite easy. Ezjails are realy light (they use readonly mount_nullfs to a basejail rather then real filesystems). Then you may consider using one jail for FTPD with write access and an other jail for HTTPD server with read-only access (say, readonly mount_nullfs) to those written by FTPD files/filesystems. -- WBR, bsam