From owner-freebsd-questions@FreeBSD.ORG Fri Sep 23 00:56:43 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A9C216A41F for ; Fri, 23 Sep 2005 00:56:43 +0000 (GMT) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (hobbiton.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91C0943D53 for ; Fri, 23 Sep 2005 00:56:41 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.161.222.227] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1EIbrk-0004es-CR; Thu, 22 Sep 2005 18:56:40 -0600 In-Reply-To: References: <4326D764.1040402@xianshi.org> <4326DC58.1090806@emendis.de> Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <2824270F-A826-43F5-A730-00AF3B7B3E2B@shire.net> Content-Transfer-Encoding: quoted-printable From: "Chad Leigh -- Shire.Net LLC" Date: Thu, 22 Sep 2005 18:56:37 -0600 To: f-q questions X-Mailer: Apple Mail (2.733) X-SA-Exim-Connect-IP: 67.161.222.227 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: Frank.Mueller@emendis.de, =?ISO-8859-1?Q?Malachi_de_=C6lfweald?= Subject: Re: Requesting advice on Jail technique. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 00:56:43 -0000 On Sep 22, 2005, at 6:51 PM, Malachi de =C6lfweald wrote: > I am thinking at this point what I am going to try to do is build a =20= > jail > skeleton, then use unionfs to mount on top of that... so in theory, =20= > I could > save a LOT of space while at the same time giving them pretty =20 > complete jails > (one per domain). > Malachi What I did was set up a master jail (that is never actually booted) =20 and use nullfs to mount pieces of that inside each separate jail =20 (mostly read only as well, which provides some security as well as =20 hacked jails cannot have their system executables changed since they =20 reside in a read only space). I did not use unionfs. I have one =20 submaster jail which has a writable /usr with a nullfs mounty (was =20 using localhost nfs before that) so I can install new stuff inside of =20= that. Here is an example /dev/md1910 on /local/jails/intentcenter (ufs, local, synchronous, =20 soft-updates) /local/jails/master/bin on /local/jails/intentcenter/bin (nullfs, =20 local, read-only) /local/jails/master/lib on /local/jails/intentcenter/lib (nullfs, =20 local, read-only) /local/jails/master/libexec on /local/jails/intentcenter/libexec =20 (nullfs, local, read-only) /local/jails/master/sbin on /local/jails/intentcenter/sbin (nullfs, =20 local, read-only) /local/jails/master/usr on /local/jails/intentcenter/usr (nullfs, =20 local, read-only) procfs on /local/jails/intentcenter/proc (procfs, local) devfs on /local/jails/intentcenter/dev (devfs, local) (continued below) > > On 9/13/05, Frank Mueller - emendis GmbH =20 > wrote: > >> >> Hi there, >> >> if you have enough system resources I would recommend using seperate >> jails for every user. >> All u have to keep in mind is that you won't be able to provide some >> services (SMTP, POP, IMAP, usw.) more than once for the whole system >> because they need a predefined port (25, 110, 443, usw.). Sure you can. Each separate IP, and each jail has its own IP, has =20 its own set of ports. I run a single server with 40 jails and they =20 have their own imap, smtp, etc in each (as required --- most don't as =20= it is not required but it works fine) without any port forwarding or =20 any funny games. >> Some other services, like ssh u can manage through port =20 >> forwarding, http >> through virtual hosting, etc. see above -- all my jails (almost) all have their own apache running =20 inside) >> Separate jails make it much easier to keep track of activities. yes Chad >> It all depends on what applications the user should be able to use. >> >> Greetz, >> >> Ice >> >> Elliot Crosby-McCullough schrieb: >> >>> Dear all, >>> >>> I will shortly be creating a public service on a private box that >>> will include shell access to untrusted users and would like your =20 >>> opinion >>> on the best way to go about this. >>> >>> Obviously jails are a good start, but my main concern is whether to >>> go for one large jail for all the restricted users or one small =20 >>> jail per >>> user. >>> >>> I do not have a wealth of real IPs at my disposal but accountability >>> and security is paramount, therefore I would like to use local IPs >>> through NAT (within the one box) whilst retaining the translation =20= >>> logs. >>> I would like to use one local IP per user in order to keep track of >>> activity. I can afford a few real IPs for the purpose. >>> >>> The accounts themselves will be supremely limited. No root access, >>> just basics such as ssh, perhaps telnet, mutt etc. I do not want the >>> users to have the ability to run any scripts, so perl etc is out, =20= >>> but I >>> suppose the NAT firewall will be a fallback if any compiled =20 >>> programs are >>> uploaded. >>> >>> Each user account is likely to have email/gpg etc but I'm happy to >>> control that from the host system with virtual users and simply =20 >>> deliver >>> into the jail. It is not necessary for the jails to run any =20 >>> services, >>> except the ability to SSH in. >>> >>> As you can see there are factors pulling in both directions, what >>> would you recommend as the best direction to go? >>> >>> Sincerely, >>> Elliot Crosby-McCullough >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >>> >> >> -- >> Frank Mueller >> eMail: Frank.Mueller@emendis.de >> Mobil: +49.177.6858655 >> Fax: +49.951.3039342 >> >> emendis GmbH >> Hofmannstr. 89, 91052 Erlangen, Germany >> Fon: +49.9131.817361 >> Fax: +49.9131.817386 >> >> Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger >> Sitz Erlangen, Amtsgericht Fuerth HRB 10116 >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-=20 > unsubscribe@freebsd.org" > --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad@shire.net