Date: Wed, 4 Apr 2012 23:34:46 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices about Jails Message-ID: <20120404213445.GB23551@slackbox.erewhon.net> In-Reply-To: <4F7C0365.1050201@netfence.it> References: <4F7C0365.1050201@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--0ntfKIWw70PvrIHh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Apr 04, 2012 at 10:16:37AM +0200, Andrea Venturoli wrote:
> Hello.
>=20
> Plase forgive the long post and the amount of questions, but I'm new to=
=20
> jails and I'd like to be sure of what I'm doing before deploying more=20
> than a test one.
> Right now I need to run a commercial Java app, which, ideally, I would=20
> forbid to access files outside its directory.
> This might be done by simple chrooting it, but I read a jail is a better=
=20
> solution, so I started with ezjails.
=20
> First of all, I'm wondering whether it would be possible/useful to use=20
> chroot even inside that jail. Any opinions?
Not very usefull. If one chroot is safe, a double is overkill. If chroot can
be broken out of, an extra chroot is at most an inconvenience.
=20
> Second question: from inside the jail I can access all services on=20
> localhost (eg. telnet localhost pop3, where a pop3 server is running on=
=20
> the host). Can this be avoided, e.g. with ipfw?
The pf firewall allows you to explicitly exlude aliases from interface
names. I'm assuming ipfw has similar capabilities. If you make a _pass_ rule
for just the real interface without the aliases, you should be able to block
stuff.=20
Maybe you can create a loopback device, and associate the jail with that. T=
han
you can filter the traffic to/from that to your hearts' content.
> Ideally, since this jail will run only one deamon and it will be=20
> accessed through Apache mod_proxy from the host, I'll just need inbound=
=20
> access to its port and outbound access to smtp and web proxy on the host=
=20
> system. No direct access from/to other hosts.
> Is this possible?
I think so if you make alias the jail to a new loopback interface, you can
filter on that.
=20
> Next... ezjail's author suggests I have a copy of the port tree just for=
=20
> the jails and, furthermore, a repository for distfiles for every jail.
> Since this would waste a lot of space, I already used a single distfile=
=20
> repository, but I'm also wondering whether it would be a bad idea to use=
=20
> the host's port tree. I know lot of people do this and, keeping it tidy=
=20
> with portsclean -CD, I wonder if it really would be a security risk in=20
> my case.
Does your daemon even use ports? If not, there is no use for the ports tree.
But if you want it, you can use a combination of nullfs and unionfs to get a
read-only "view" of the hosts' ports tree in the jail, while the "writes" a=
re
done in the unionfs. This means that you only have to update the hosts' por=
ts
tree, and the jail will automagically see it. Suppose the root of your jail=
is
in /var/jails/192.168.0.100/. You do the following (in the host) to set it =
up:
# cd /var/jails/192.168.0.100/usr
# mkdir tmp/foo
# mount_nullfs /usr/ports/ ports/
# mount_unionfs -o noatime tmp/foo ports/
To tear this down when you don't need it anymore, do this;
# umount /var/jails/192.168.0.100/usr/ports
# umount /var/jails/192.168.0.100/usr/ports
# cd /var/jails/192.168.0.100/usr
# rm -rf tmp/foo/*
And yes, the umount command _does_ need to be run twice: once for the union=
fs,
and once for the nullfs! The contents of
`/var/jails/192.168.0.100/usr/tmp/foo/*` are deleted to save space.
> What about jails? Should I install portaudit there too and let them flood=
me
> with reports? Is there a way to let the host's portaudit check jails too?
With the nullfs/unionfs combo, you only need to update the ports tree
once. You do need to update the ports in your jail with e.g. portmaster.
Roland
--=20
R.F.Smith http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
--0ntfKIWw70PvrIHh
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
iEYEARECAAYFAk98vnUACgkQEnfvsMMhpyVRGQCgr34I1f15I0J4q8I3iJpR1aEs
l+oAoJchtwmx9n7HEBwZTZESVe/IYbwt
=ttSm
-----END PGP SIGNATURE-----
--0ntfKIWw70PvrIHh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120404213445.GB23551>