From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 07:00:05 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 253F422E for ; Sat, 15 Nov 2014 07:00:05 +0000 (UTC) Received: from mail-pa0-x244.google.com (mail-pa0-x244.google.com [IPv6:2607:f8b0:400e:c03::244]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E69776D for ; Sat, 15 Nov 2014 07:00:04 +0000 (UTC) Received: by mail-pa0-f68.google.com with SMTP id kq14so26727pab.3 for ; Fri, 14 Nov 2014 23:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=U21pwvJtPmoRgsZQQXWPLJvS7VFjxtv+jGR2hvcR9lw=; b=ZydXhY0KplXJxshSTk5g4nhOlxEW5WNF1DRWtxOR9l/Mq4HsRRZEgICzo5UV5Q+p01 NhBvMgztgIemmRtSHsbfo7jjlpUtxZyM1bYaQAfCGS7aNzYIP5mRbZffmxd3ZwIvKZRY kDaThlyM6MrJoFig63SPW+ur5u60R7fzOYYnePCcpiS58fKHIAD/OFp3oiifec2cTIy5 GaY+Fj5uGbOy7OmGtYUwurVimanR9zKmLKP1JW0NRkoLwYP5SHVeVRORQNTZyuGBnV5T Pol6QqVSVlgwOjUEFofO5uxZCp+3pJUig35EHkZTWAw4n+xXB44YkPhxc53N/XeR7/v8 12sA== X-Received: by 10.66.222.231 with SMTP id qp7mr15233888pac.39.1416034804531; Fri, 14 Nov 2014 23:00:04 -0800 (PST) Received: from [192.168.0.101] ([120.29.99.80]) by mx.google.com with ESMTPSA id vz8sm20200253pac.1.2014.11.14.23.00.03 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 14 Nov 2014 23:00:03 -0800 (PST) Message-ID: <5466F9F0.6080207@gmail.com> Date: Sat, 15 Nov 2014 15:00:00 +0800 From: Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Robert Sevat Subject: Re: How much of freebsd can be made read-only in a jail References: <5466E135.80304@indylix.nl> In-Reply-To: <5466E135.80304@indylix.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2014 07:00:05 -0000 Robert Sevat wrote: > Hey all, > > I've started using Ansible to make my life easier while managing a lot > of jails. I've used ezjail up until now, but if I am using automation to > manage them anyway, I might as well let Ansible setup the jails in an > even more restrictive way. I am aware of the existence of bsdploy, but > that uses ezjail and I'm aiming for an even more locked down system. > > goal: > -make it impossible to install programs from inside the jail, only > install them from outside the jail with pkg -j > -make it impossible to edit any configuration files from inside the jail > since that can be done from the host. > > So my question is, how much can be made read-only? > > And what needs to be kept writable at a minimum for this to work? > /tmp > /var/log (configure syslog server so logs don't need to be stored locally?) > /var/tmp? > /var/db? > > Anything I'm missing or other directories that should be writable? It > will of course depend per application, but I only run one service per > jail. So application specific exceptions will be made while configuring > the jail in the ansible playbook. > > Maybe I'm overlooking something and this is a bad idea because $reason? > Any other advice / tips? > > Thank you for your time! > > Kind Regards, > Robert Sevat > If your jail config files and running directories [system & user] are read-only you can not install packages from the host. Your whole concept is flawed from the getgo. [ansible] is a software product you have to purchase. If your supporting a large enterprise then maybe the $1000.00 per year cost can be justified. The Freebsd port is just the 30 day free trial version. I suggest you checkout the qjail utility.