From owner-freebsd-questions@FreeBSD.ORG Tue Sep 13 14:02:24 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1F9916A41F for ; Tue, 13 Sep 2005 14:02:24 +0000 (GMT) (envelope-from albi@scii.nl) Received: from post-23.mail.nl.demon.net (post-23.mail.nl.demon.net [194.159.73.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62D2343D45 for ; Tue, 13 Sep 2005 14:02:23 +0000 (GMT) (envelope-from albi@scii.nl) Received: from aseed.demon.nl ([83.160.138.119]:9980 helo=mail.aseed.antenna.nl) by post-23.mail.nl.demon.net with esmtp (Exim 4.51) id 1EFBMc-0002Zj-TQ for freebsd-questions@freebsd.org; Tue, 13 Sep 2005 14:02:23 +0000 Received: from http.aseed.antenna.nl (unknown [192.168.0.50]) by mail.aseed.antenna.nl (Postfix) with ESMTP id 9D6991544AF for ; Tue, 13 Sep 2005 16:02:47 +0200 (CEST) Received: from localhost.localdomain (217-19-30-147.dsl.cambrium.nl [217.19.30.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by http.aseed.antenna.nl (Postfix) with ESMTP id AD2C5594C62 for ; Tue, 13 Sep 2005 16:02:00 +0200 (CEST) Date: Tue, 13 Sep 2005 16:02:20 +0200 From: albi To: freebsd-questions@freebsd.org Message-Id: <20050913160220.1754eee6.albi@scii.nl> In-Reply-To: <4326D764.1040402@xianshi.org> References: <4326D764.1040402@xianshi.org> X-Mailer: Sylpheed version 2.0.1 (GTK+ 2.8.3; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Requesting advice on Jail technique. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Sep 2005 14:02:24 -0000 On Tue, 13 Sep 2005 14:43:00 +0100 Elliot Crosby-McCullough wrote: > Obviously jails are a good start, but my main concern is whether to go > for one large jail for all the restricted users or one small jail per user. -- cut -- > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. > > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. you could follow the ideas i've used, http://scii.nl/~albi/BSD/new.txt (this is part of an "unfinished howto") the idea is that you make a build-jail to build all the ports, the /bin /sbin /usr/bin /usr/sbin get mounted via nullfs from the host, which basically means that you only have to do the "make installworld" once, only for the host-system the build-jail software then get mounted (as much or less if you like) from the jails, and of course you can limit their access by changing permissions on the /bin dirs etc. or just giving them their needed binaries hard-linked in their ~/bin you can try the new chroot-option from the latest openssh-portable for them (and disable the base-ssh), although i have personally not played with that option yet making separate ssh-jails for them is possible with ip_aliases, no real ip's needed HTH -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import