Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Dec 2015 08:39:26 +0100
From:      Polytropon <freebsd@edvax.de>
To:        Aleksandr Miroslav <alexmiroslav@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: best practice for locking down private jail?
Message-ID:  <20151203083926.72ad74db.freebsd@edvax.de>
In-Reply-To: <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com>
References:  <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, 2 Dec 2015 21:52:59 -0800, Aleksandr Miroslav wrote:
> On Wed, Dec 2, 2015 at 9:44 PM, Aleksandr Miroslav
> <alexmiroslav@gmail.com> wrote:
> > - from the example.org machine, outside the jail, i setup httpd to
> > serve files only from
> > /usr/jails/privatejail/usr/home/joeblow/audiofiles
> [...]
> > can I tell Apache to only serve up mp3 files of name
> > lecture-num.mp3 or something like that?
> 
> Thinking about this some more. I think instead of having apache point
> to the jail directly, I setup a cron job on the host that calls a
> script that runs every 5 minutes or so, and copies only mp3 files of
> some pattern-matched name to the host system, and then only that is
> served up by apache. That would work better I think. It would have to
> be a cron job on the host, I don't think I can have a script from
> inside the private jail call something directly on the host.

Make sure no incomplete files are being processed. You can even
write a script that first checks that the user "joeblow" is
currently _not_ logged in (or not performing a scp transfer),
so incomplete files can be avoided, and then have this script
copy the files from his home (upload) directory to a different
directory for Apache to serve from; in this script, you can
also force a certain pattern for files: those that do not match
won't be copied. In this case, even if "joeblow" acidentally
(or someone else intendedly) deletes the content of his $HOME,
the files to be served will still be intact in a location that
this user cannot access.

Oh, and regarding SSH with keys: You can force keys _and_ a
password. Educate the user what a secure password is, and make
him understand "password hygiene". So even if someone is able
to get his SSH keys, the attacker cannot get access without the
password (which is to be provided interactively, not stored in
plain text in some configuration or history file, of course).

Just a few suggestions. :-)


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20151203083926.72ad74db.freebsd>