From owner-freebsd-questions Mon Mar 11 2:24:49 2002 Delivered-To: freebsd-questions@freebsd.org Received: from SRDMAIL.SINP.MSU.RU (bigking.sinp.msu.ru [213.131.9.130]) by hub.freebsd.org (Postfix) with ESMTP id 0098B37B433 for ; Mon, 11 Mar 2002 02:24:36 -0800 (PST) Received: from dima (helo=localhost) by SRDMAIL.SINP.MSU.RU with local-esmtp (Exim 3.34 #1) id 16kN0B-000JS5-00; Mon, 11 Mar 2002 13:25:59 +0300 Date: Mon, 11 Mar 2002 13:25:59 +0300 (MSK) From: Dmitry Mottl To: Joel Dinel Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Chroot'ing Apache In-Reply-To: <20020310211308.A2087@sunder.touchtunes.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi On Sun, 10 Mar 2002, Joel Dinel wrote: > A friend of mine and I are thinking about creating a script (or series > of scripts) to automate as much as possible the work required to get a > chroot'ed Apache server running on FreeBSD (including updating the source > tree and building Apache from it). > > I'd like to get tips or 'heads up' from people who have experience with > chroot'ing stuff in FreeBSD. Think about jail(2) First make alias on lo0: /sbin/ifconfig lo0 alias 192.168.0.1/16 Prepare chrooted hierarhy - mount all necessary directories from /usr with mount_union(8): #!/bin/sh JAIL_PREFIX=/jail mount -t union -o ro /sbin $JAIL_PREFIX/sbin mount -t union -o ro /bin $JAIL_PREFIX/bin mount -t union -o ro /usr/sbin $JAIL_PREFIX/usr/sbin mount -t union -o ro /usr/bin $JAIL_PREFIX/usr/bin mount -t union -o ro /usr/include $JAIL_PREFIX/usr/include mount -t union -o ro /usr/include $JAIL_PREFIX/usr/include mount -t union -o ro /usr/lib $JAIL_PREFIX/usr/lib mount -t union -o ro /usr/libdata $JAIL_PREFIX/usr/libdata mount -t union -o ro /usr/libexec $JAIL_PREFIX/usr/libexec mount -t union -o ro /usr/local $JAIL_PREFIX/usr/local mount -t union -o ro /usr/obj $JAIL_PREFIX/usr/obj mount -t union -o ro /usr/share $JAIL_PREFIX/usr/share mount -t union -o ro /usr/X11R6/lib $JAIL_PREFIX/usr/X11R6/lib mount -t procfs proc $JAIL_PREFIX/proc or simply mount -t union -o ro /sbin $JAIL_PREFIX/sbin mount -t union -o ro /bin $JAIL_PREFIX/bin mount -t union -o ro /usr/sbin $JAIL_PREFIX/usr/sbin mount -t union -o ro /usr/bin $JAIL_PREFIX/usr/bin mount -t union -o ro /usr $JAIL_PREFIX/usr mount -t procfs proc $JAIL_PREFIX/proc prepare /etc in /jail/etc cp -R /etc /jail/etc modify configuration scripts (rc.conf and /usr/local/etc/rc.d) recompile kernel with option IPFIREWALL_FORWARD add firewall rule: PUBLIC_IP=xxx.xxx.xxx.xxx /usr/sbin/ipfw add fwd 192.168.0.1,80 tcp from any to $PUBLIC_IP 80 and if you want deny all outgoing traffic (with ipfw) from 192.168/24 not from tcp/80, to prevent your users accessing Internet from jailed machine and than do jail(2): /usr/sbin/jail /home/jail JAILEDHOST 192.168.0.1 /etc/rc You can also use NAT instead of ipfw's FWD All software updates must be done outside jail. Jail has no write permissions on /usr cause it mounts /usr in RO -- Dmitry A. Mottl Network Administrator Skobeltsyn's Institute of Nuclear Physics Moscow State Unversity To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message