Date: Tue, 13 Sep 2005 16:02:20 +0200 From: albi <albi@scii.nl> To: freebsd-questions@freebsd.org Subject: Re: Requesting advice on Jail technique. Message-ID: <20050913160220.1754eee6.albi@scii.nl> In-Reply-To: <4326D764.1040402@xianshi.org> References: <4326D764.1040402@xianshi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Sep 2005 14:43:00 +0100 Elliot Crosby-McCullough <freebsd@xianshi.org> wrote: > Obviously jails are a good start, but my main concern is whether to go > for one large jail for all the restricted users or one small jail per user. -- cut -- > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. > > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. you could follow the ideas i've used, http://scii.nl/~albi/BSD/new.txt (this is part of an "unfinished howto") the idea is that you make a build-jail to build all the ports, the /bin /sbin /usr/bin /usr/sbin get mounted via nullfs from the host, which basically means that you only have to do the "make installworld" once, only for the host-system the build-jail software then get mounted (as much or less if you like) from the jails, and of course you can limit their access by changing permissions on the /bin dirs etc. or just giving them their needed binaries hard-linked in their ~/bin you can try the new chroot-option from the latest openssh-portable for them (and disable the base-ssh), although i have personally not played with that option yet making separate ssh-jails for them is possible with ip_aliases, no real ip's needed HTH -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050913160220.1754eee6.albi>