From owner-freebsd-jail@FreeBSD.ORG  Sun Jul 29 21:16:20 2007
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8422816A421
	for <freebsd-jail@freebsd.org>; Sun, 29 Jul 2007 21:16:20 +0000 (UTC)
	(envelope-from albinootje@gmail.com)
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224])
	by mx1.freebsd.org (Postfix) with ESMTP id 41A4513C48A
	for <freebsd-jail@freebsd.org>; Sun, 29 Jul 2007 21:16:20 +0000 (UTC)
	(envelope-from albinootje@gmail.com)
Received: by wx-out-0506.google.com with SMTP id i29so1129017wxd
	for <freebsd-jail@freebsd.org>; Sun, 29 Jul 2007 14:16:19 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=Xq42pXVrYyO/UjJ8BUV30HSj+mDl4RMQGksJe73FpDpaxo4xQO4VwjiYereuORfMDAyZL87binnUwAKEaDkwCTfjX8RfA4dC1xRwYwYm+HY5s9fi9NP10bMM+trGXopnkGlPzsiAXO3tWaots5ahdZrO6rVaBC2L3UTrYPG12Ak=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=sHvIMqtoeoF1JzzOXNgk6OVZ49Z28to39dRSHS35TLSTaFIG60jje//jUys0WNqZhHlP0Y8D0Wdg5VdKBQzghjH0oQTdEhBXUVTKxBXavNH82FZ1Zcg9jzP0dVc7coJKqPvOqKep8WW4i5p+eRvbBfWqKfBjQd+y4nexXuodMP4=
Received: by 10.70.45.10 with SMTP id s10mr8884514wxs.1185743779559;
	Sun, 29 Jul 2007 14:16:19 -0700 (PDT)
Received: from ?192.168.0.120? ( [217.19.30.147])
	by mx.google.com with ESMTPS id i13sm1792020wxd.2007.07.29.14.16.14
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Sun, 29 Jul 2007 14:16:16 -0700 (PDT)
Message-ID: <46AD0395.2020505@gmail.com>
Date: Sun, 29 Jul 2007 23:16:05 +0200
From: albinootje <albinootje@gmail.com>
User-Agent: Thunderbird 2.0.0.5 (X11/20070716)
MIME-Version: 1.0
To: Paul Hoffman <phoffman@proper.com>,  freebsd-jail@FreeBSD.org
References: <p0624081fc2d292d4ed73@[10.20.30.108]>
In-Reply-To: <p0624081fc2d292d4ed73@[10.20.30.108]>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: What to put in devfs for a typical jail
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2007 21:16:20 -0000

Paul Hoffman wrote:

> Greetings. I want to set up a jail for a web server. It only needs to
> access the things a normal system would (its own disk space, the network
> controller, the keyboard, and so on). I need to be SSHing into the
> jailed system to control it.

# a piece from /etc/rc.conf from the host as example here :

jail_enable="YES"
jail_socket_unixiproute_only="YES"
jail_sysvipc_allow="NO"

jail_list="assp"

# assp-jail #
jail_assp_rootdir="/usr/jails/assp"
jail_assp_hostname="assp.mydomain.org"
jail_assp_ip="192.168.111.111"
jail_assp_exec="/bin/sh /etc/rc"
jail_assp_devfs_enable="YES"
jail_assp_devfs_ruleset="devfsrules_jail"
# ^^^^^^^^^^^^^^^^^^^^
jail_assp_interface=rl0

#

by using this approach ( including -->
jail_assp_devfs_ruleset="devfsrules_jail")
the jail itself ends up having a minimal /dev/ while all the software
from ports
(excluding audio-software perhaps ;] runs fine

ls -la /usr/jails/assp/dev/
total 1
dr-xr-xr-x  2 root  wheel       512 Jun 27 20:24 fd
lrwxr-xr-x  1 root  wheel        14 Jun 27 20:24 log -> ../var/run/log
crw-rw-rw-  1 root  wheel    0,  10 Jul 29 23:11 null
crw-rw-rw-  1 root  wheel    0,  95 Jul 29 23:07 ptyp0
crw-rw-rw-  1 root  wheel    0,  97 Jul 25 22:16 ptyp1
crw-rw-rw-  1 root  wheel    0, 101 Jul  8 16:36 ptyp2
crw-rw-rw-  1 root  wheel    0, 103 Jul 29 23:13 ptyp3
crw-rw-rw-  1 root  wheel    0, 105 Jul 27 15:13 ptyp4
crw-rw-rw-  1 root  wheel    0, 107 Jul  1 22:15 ptyp5
crw-rw-rw-  1 root  wheel    0,  13 Jun 15 21:40 random
lrwxr-xr-x  1 root  wheel         4 Jun 27 20:24 stderr -> fd/2
lrwxr-xr-x  1 root  wheel         4 Jun 27 20:24 stdin -> fd/0
lrwxr-xr-x  1 root  wheel         4 Jun 27 20:24 stdout -> fd/1
crw-rw-rw-  1 root  wheel    0,  96 Jul 29 23:13 ttyp0
crw-rw-rw-  1 root  wheel    0,  98 Jul 25 22:19 ttyp1
crw-rw-rw-  1 root  wheel    0, 102 Jul 29 23:13 ttyp2
crw-rw-rw-  1 root  wheel    0, 104 Jul 29 23:13 ttyp3
crw--w----  1 root  tty      0, 106 Jul 27 15:12 ttyp4
crw-rw-rw-  1 root  wheel    0, 108 Jul  1 23:11 ttyp5
lrwxr-xr-x  1 root  wheel         6 Jun 27 20:24 urandom -> random
crw-rw-rw-  1 root  wheel    0,  11 Jun 15 19:40 zero