From owner-freebsd-questions@FreeBSD.ORG Tue Oct 13 15:44:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66ECC106568D for ; Tue, 13 Oct 2009 15:44:49 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-qy0-f196.google.com (mail-qy0-f196.google.com [209.85.221.196]) by mx1.freebsd.org (Postfix) with ESMTP id 1C6098FC21 for ; Tue, 13 Oct 2009 15:44:48 +0000 (UTC) Received: by qyk34 with SMTP id 34so8251010qyk.14 for ; Tue, 13 Oct 2009 08:44:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=DyqWajtON+IIuOTKuQ91VHuEUW/VbaAhN12PfraWc18=; b=hKLT9jrqQGSqsWROQxBRRRZtFIyqSKQ4v4LC07NG1gSyTVEHvvyVlYXBKXCF3HCaJ4 q/ByG5ey5kJ9dl46vrWC4MK9Oq5bXFRrMkA71jpYNS3E8pfYCHlBaWd//DwRwLVinj9g fI1w7a8KfO+oeokh3kUVGuMvoQxZAU554ns0U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=F94oPXxFpT+gU/guLUFoenxHV7iFr+ISimmFJSEcMpgev4oW86zv0emspE8SPNqzdh LW3E5CU6trpVkKXDD7tcvNUXmHcHxz3Bh/Km+/bV3I+4wk60Z2ICPHByGi8rr7ssTz7l fnDP8ZNZzslMWpZUNFoVmITfhqeguc+8XL/NE= MIME-Version: 1.0 Received: by 10.239.168.204 with SMTP id l12mr488382hbe.36.1255448687497; Tue, 13 Oct 2009 08:44:47 -0700 (PDT) In-Reply-To: <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com> References: <815964.80537.qm@web51104.mail.re2.yahoo.com> <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com> Date: Tue, 13 Oct 2009 16:44:47 +0100 Message-ID: From: krad To: APseudoUtopia Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Dino Vliet , freebsd-questions@freebsd.org Subject: Re: freebsd jail: web and database server config questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2009 15:44:49 -0000 2009/10/13 APseudoUtopia > On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet wrote: > > > > Dear Freebsd people, > > > > To consolditae on resources I have configured a machine to run both a web > and database server (powering my database driven website). > > > > Due to security concerns I'm contemplating on introducing a jailed > environment on this machine and want to know if this would be feasible. I > have a few questions for the freebsd community regarding this approach and > hope someone would give me some advice. > > > > Is it advisable/wise/okay/clever to run a webserver on my host system and > a database server on my jailed system? The webserver will need to connect to > the database system on startup and update the database based on client > access. > > I would recommend either doing it the other way around (webserver > inside the jail) or have both web and db inside separate jails. > > > > > However, if a machine gets compromised, it would rather be the webserver, > therefore running the webserver in the jailed environment seems better to > me. But how could that be done, if the webserver requires to connect through > tcp/ip to the database server running on the host system? I thought that a > key-feature of a jailed system is that it can't access resources outside the > jail. > > > > It *may* be possible to set your database software to listen on a unix > socket inside the jail dir on the host. For example, if your webserver > jail is in /usr/jails/httpd/ on the host, you may be able to have your > database listen on a unix socket in, say, /usr/jails/httpd/tmp/. > Inside the jail, you can point your web app to use the socket inside > /tmp/. I'm not sure if this is possible as I never actually > implemented it with my setup, but you can try. > you can do this but only if the the db is running on the host system. What you are doing then is open a big whole in the security of the system that will potentially let someone attack the host os via apache->mysql. What i have done on some systems is jail the db and apache in separate jails. and have a shared nullfs writable fs between them. Generally I found it better to make the connection go over ip and heavily wrap it. The added advantage of doing it over ip is that it keeps things separate, and it is far easier to migrate one of the jails onto another box in the future if you start running into capacity issues. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >