From owner-freebsd-questions@FreeBSD.ORG Wed Apr 4 21:42:44 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0260B106564A for ; Wed, 4 Apr 2012 21:42:44 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr6.xs4all.nl (smtp-vbr6.xs4all.nl [194.109.24.26]) by mx1.freebsd.org (Postfix) with ESMTP id 9FD918FC23 for ; Wed, 4 Apr 2012 21:42:43 +0000 (UTC) Received: from slackbox.erewhon.net (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr6.xs4all.nl (8.13.8/8.13.8) with ESMTP id q34LYkHj046210; Wed, 4 Apr 2012 23:34:46 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.net (Postfix, from userid 1001) id 0C2D612347; Wed, 4 Apr 2012 23:34:46 +0200 (CEST) Date: Wed, 4 Apr 2012 23:34:46 +0200 From: Roland Smith To: Andrea Venturoli Message-ID: <20120404213445.GB23551@slackbox.erewhon.net> References: <4F7C0365.1050201@netfence.it> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0ntfKIWw70PvrIHh" Content-Disposition: inline In-Reply-To: <4F7C0365.1050201@netfence.it> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: Best practices about Jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2012 21:42:44 -0000 --0ntfKIWw70PvrIHh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 04, 2012 at 10:16:37AM +0200, Andrea Venturoli wrote: > Hello. >=20 > Plase forgive the long post and the amount of questions, but I'm new to= =20 > jails and I'd like to be sure of what I'm doing before deploying more=20 > than a test one. > Right now I need to run a commercial Java app, which, ideally, I would=20 > forbid to access files outside its directory. > This might be done by simple chrooting it, but I read a jail is a better= =20 > solution, so I started with ezjails. =20 > First of all, I'm wondering whether it would be possible/useful to use=20 > chroot even inside that jail. Any opinions? Not very usefull. If one chroot is safe, a double is overkill. If chroot can be broken out of, an extra chroot is at most an inconvenience. =20 > Second question: from inside the jail I can access all services on=20 > localhost (eg. telnet localhost pop3, where a pop3 server is running on= =20 > the host). Can this be avoided, e.g. with ipfw? The pf firewall allows you to explicitly exlude aliases from interface names. I'm assuming ipfw has similar capabilities. If you make a _pass_ rule for just the real interface without the aliases, you should be able to block stuff.=20 Maybe you can create a loopback device, and associate the jail with that. T= han you can filter the traffic to/from that to your hearts' content. > Ideally, since this jail will run only one deamon and it will be=20 > accessed through Apache mod_proxy from the host, I'll just need inbound= =20 > access to its port and outbound access to smtp and web proxy on the host= =20 > system. No direct access from/to other hosts. > Is this possible? I think so if you make alias the jail to a new loopback interface, you can filter on that. =20 > Next... ezjail's author suggests I have a copy of the port tree just for= =20 > the jails and, furthermore, a repository for distfiles for every jail. > Since this would waste a lot of space, I already used a single distfile= =20 > repository, but I'm also wondering whether it would be a bad idea to use= =20 > the host's port tree. I know lot of people do this and, keeping it tidy= =20 > with portsclean -CD, I wonder if it really would be a security risk in=20 > my case. Does your daemon even use ports? If not, there is no use for the ports tree. But if you want it, you can use a combination of nullfs and unionfs to get a read-only "view" of the hosts' ports tree in the jail, while the "writes" a= re done in the unionfs. This means that you only have to update the hosts' por= ts tree, and the jail will automagically see it. Suppose the root of your jail= is in /var/jails/192.168.0.100/. You do the following (in the host) to set it = up: # cd /var/jails/192.168.0.100/usr # mkdir tmp/foo # mount_nullfs /usr/ports/ ports/ # mount_unionfs -o noatime tmp/foo ports/ To tear this down when you don't need it anymore, do this; # umount /var/jails/192.168.0.100/usr/ports # umount /var/jails/192.168.0.100/usr/ports # cd /var/jails/192.168.0.100/usr # rm -rf tmp/foo/* And yes, the umount command _does_ need to be run twice: once for the union= fs, and once for the nullfs! The contents of `/var/jails/192.168.0.100/usr/tmp/foo/*` are deleted to save space. > What about jails? Should I install portaudit there too and let them flood= me > with reports? Is there a way to let the host's portaudit check jails too? With the nullfs/unionfs combo, you only need to update the ports tree once. You do need to update the ports in your jail with e.g. portmaster. Roland --=20 R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --0ntfKIWw70PvrIHh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk98vnUACgkQEnfvsMMhpyVRGQCgr34I1f15I0J4q8I3iJpR1aEs l+oAoJchtwmx9n7HEBwZTZESVe/IYbwt =ttSm -----END PGP SIGNATURE----- --0ntfKIWw70PvrIHh--