Date: Thu, 3 Dec 2015 08:39:26 +0100 From: Polytropon <freebsd@edvax.de> To: Aleksandr Miroslav <alexmiroslav@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: best practice for locking down private jail? Message-ID: <20151203083926.72ad74db.freebsd@edvax.de> In-Reply-To: <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com> References: <CACcSE1yQO8AjW9rpY%2Bd2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2 Dec 2015 21:52:59 -0800, Aleksandr Miroslav wrote: > On Wed, Dec 2, 2015 at 9:44 PM, Aleksandr Miroslav > <alexmiroslav@gmail.com> wrote: > > - from the example.org machine, outside the jail, i setup httpd to > > serve files only from > > /usr/jails/privatejail/usr/home/joeblow/audiofiles > [...] > > can I tell Apache to only serve up mp3 files of name > > lecture-num.mp3 or something like that? > > Thinking about this some more. I think instead of having apache point > to the jail directly, I setup a cron job on the host that calls a > script that runs every 5 minutes or so, and copies only mp3 files of > some pattern-matched name to the host system, and then only that is > served up by apache. That would work better I think. It would have to > be a cron job on the host, I don't think I can have a script from > inside the private jail call something directly on the host. Make sure no incomplete files are being processed. You can even write a script that first checks that the user "joeblow" is currently _not_ logged in (or not performing a scp transfer), so incomplete files can be avoided, and then have this script copy the files from his home (upload) directory to a different directory for Apache to serve from; in this script, you can also force a certain pattern for files: those that do not match won't be copied. In this case, even if "joeblow" acidentally (or someone else intendedly) deletes the content of his $HOME, the files to be served will still be intact in a location that this user cannot access. Oh, and regarding SSH with keys: You can force keys _and_ a password. Educate the user what a secure password is, and make him understand "password hygiene". So even if someone is able to get his SSH keys, the attacker cannot get access without the password (which is to be provided interactively, not stored in plain text in some configuration or history file, of course). Just a few suggestions. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151203083926.72ad74db.freebsd>