From owner-freebsd-security@FreeBSD.ORG Thu Apr 13 23:21:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41CA116A403 for ; Thu, 13 Apr 2006 23:21:45 +0000 (UTC) (envelope-from ricardo_bsd@yahoo.com.br) Received: from smtp101.mail.mud.yahoo.com (smtp101.mail.mud.yahoo.com [209.191.85.211]) by mx1.FreeBSD.org (Postfix) with SMTP id D6D4043D48 for ; Thu, 13 Apr 2006 23:21:43 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: (qmail 4303 invoked from network); 13 Apr 2006 23:21:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Received:Date:To:Subject:From:Organization:Cc:Content-Type:MIME-Version:Message-ID:User-Agent; b=vwYSVtG8+FXVyhtP7gZk4dfY36nglXLWO6eNA+N9n8enC4Z42QLcsBb9txMCx+T0b3ZPTJNvAtg0Uq65tWxGB74Fog5IqBcelbJv1eXQhdJ1eRSTS/Q9qRhCTUbeh216U5WkrbTcroqspmKGcW2RJtAPCSTnqSVBAbNXA+hmXMA= ; Received: from unknown (HELO localhost) (ricardo?bsd@201.1.79.70 with login) by smtp101.mail.mud.yahoo.com with SMTP; 13 Apr 2006 23:21:41 -0000 Date: Thu, 13 Apr 2006 17:21:38 -0300 To: "freebsd-security@freebsd.org" From: "Ricardo A. Reis" Organization: UNIFESP Content-Type: multipart/mixed; boundary=----------z4pw9qViLyJoxAfGvOdut6 MIME-Version: 1.0 Message-ID: User-Agent: Opera Mail/9.00 (FreeBSD) Cc: "freebsd-current@freebsd.org" Subject: Prototyping for basejail distribuition X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 23:21:45 -0000 ------------z4pw9qViLyJoxAfGvOdut6 Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi, I attach 2 files in this email, the first is a Makefile and the second is jail.conf. For demonstre my idea i resolved create one "Pseudo Prototyping", for test is necessary: 1 - Create dir /usr/local/basejail 2 - Copy Makefile to /usr/local/basejail 3 - Copy jail.conf to /etc 4 - The initial basejail is precompiled is distributed in CD1, for simular basejail is necessary a installworld structure in /usr/local/basejail cd /usr/src ; make installworld DESTDIR=/usr/local/basejail Now is necessary config jail.conf, ----- #sample template for create freebsd jail # # RC.CONF GLOBAL VARIABLES # exec_start="/bin/sh /etc/rc" exec_stop="/bin/sh /etc/rc.shutdown" devfs_enable="NO" fdescfs_enable="NO" procfs_enable="NO" mount_enable="NO" devfs_ruleset="ruleset_name" flags="-l -U root" # # JAIL RC.CONF # sendmail_enable="NO" inetd_flags="-wW -a" rpcbind_enable="NO" network_interfaces="" # # FILES # copy_to_jail="/etc/localtime /etc/resolv.conf /etc/csh.cshrc /etc/csh.login" # # JAILS # jail_node01_rootdir="/usr/jail/node01" jail_node01_hostname="node01.example.com" jail_node01_ip="127.0.0.1 " jail_node02_rootdir="/usr/jail/node02" jail_node02_hostname="node02.example.com" jail_node02_ip="127.0.0.2 " ------- In this moment is possible create large numbers of jail, i implemente in makefile, [root@daemon:/usr/local/basejail] # make >>> Sample in /usr/share/examples/etc/jail.conf jail == create jail rcconf == create rc.conf for start jails etcconfig == create rc.conf for jails and copy file showconfig == show information Thanks for any comments, Sorry for my english and poor Makefile. -- Ricardo A. Reis UNIFESP Unix and Network Adm ------------z4pw9qViLyJoxAfGvOdut6 Content-Disposition: attachment; filename=jail.conf Content-Type: application/octet-stream; name=jail.conf Content-Transfer-Encoding: Base64 I3NhbXBsZSB0YW1wbGF0ZSBmb3IgY3JlYXRlIGZyZWVic2QgamFpbAojCiMgUkMu Q09ORiBHTE9CQUwgVkFSSUFCTEVTCiMKZXhlY19zdGFydD0iL2Jpbi9zaCAvZXRj L3JjIgpleGVjX3N0b3A9Ii9iaW4vc2ggL2V0Yy9yYy5zaHV0ZG93biIKZGV2ZnNf ZW5hYmxlPSJOTyIKZmRlc2Nmc19lbmFibGU9Ik5PIgpwcm9jZnNfZW5hYmxlPSJO TyIKbW91bnRfZW5hYmxlPSJOTyIKZGV2ZnNfcnVsZXNldD0icnVsZXNldF9uYW1l IgpmbGFncz0iLWwgLVUgcm9vdCIKIwojIEpBSUwgUkMuQ09ORgojCnNlbmRtYWls X2VuYWJsZT0iTk8iCmluZXRkX2ZsYWdzPSItd1cgLWEiCnJwY2JpbmRfZW5hYmxl PSJOTyIgCm5ldHdvcmtfaW50ZXJmYWNlcz0iIgojCiMgRklMRVMKIwpjb3B5X3Rv X2phaWw9Ii9ldGMvbG9jYWx0aW1lIC9ldGMvcmVzb2x2LmNvbmYgL2V0Yy9jc2gu Y3NocmMgL2V0Yy9jc2gubG9naW4iCiMKIyBKQUlMUwojCmphaWxfbm9kZTAxX3Jv b3RkaXI9Ii91c3IvamFpbC9ub2RlMDEiIApqYWlsX25vZGUwMV9ob3N0bmFtZT0i bm9kZTAxLmV4YW1wbGUuY29tIgpqYWlsX25vZGUwMV9pcD0iMTI3LjAuMC4xIgoK amFpbF9ub2RlMDJfcm9vdGRpcj0iL3Vzci9qYWlsL25vZGUwMiIKamFpbF9ub2Rl MDJfaG9zdG5hbWU9Im5vZGUwMi5leGFtcGxlLmNvbSIKamFpbF9ub2RlMDJfaXA9 IjEyNy4wLjAuMiIKDQo= ------------z4pw9qViLyJoxAfGvOdut6 Content-Disposition: attachment; filename=Makefile Content-Type: application/octet-stream; name=Makefile Content-Transfer-Encoding: Base64 Iy0qLSBtb2RlOiBGdW5kYW1lbnRhbDsgdGFiLXdpZHRoOiA0OyAtKi0KIyBleDp0 cz00CkRJU1RCQVNFPz0vdXNyL2xvY2FsL2Jhc2VqYWlsCkNPTkZJR0NGRz89L2V0 Yy9qYWlsLmNvbmYKSkxJU1RSIT0gZ3JlcCAnXmphaWxfW2Etel0uKl9yb290ZGly JyAkKENPTkZJR0NGRykgMj4vZGV2L251bGwgfCBjdXQgLWQ9IC1mMiB8IHNlZCAt ZSAncy8iLy9nJyB8dHIgJyAnICdcbicgCkpMSVNUTiE9IGdyZXAgJ15qYWlsX1th LXpdLipfJyAkKENPTkZJR0NGRykgMj4vZGV2L251bGwgfCBjdXQgLWQ9IC1mMSB8 Y3V0IC1kXyAtZjIgfHNvcnQgfHVuaXEKSkxJU1RJSVAhPSBncmVwICdeamFpbF8k KEpMSVNUTilfaXAnICQoQ09ORklHQ0ZHKSAyPi9kZXYvbnVsbCB8IGN1dCAtZD0g LWYyIHwgc2VkIC1lICdzLyIvL2cnClRNUERJUj89L3RtcAoKCi5pZiAhZXhpc3Rz KCR7Q09ORklHQ0ZHfSkKCUBlY2hvICIiCglAZWNobyAiPj4+IFBsZWFzZSBjb25m aWd1cmUgJChDT05GSUdDRkcpIgoJQGVjaG8gIj4+PiBTYW1wbGUgaW4gL3Vzci9z aGFyZS9leGFtcGxlcyQoQ09ORklHQ0ZHKSIKCUBlY2hvICIiCglAZXhpdCAxCi5l bHNlCi4gaW5jbHVkZSAiJChDT05GSUdDRkcpIiAKLmVuZGlmCgpoZWxwOgoJQGVj aG8gIiIKCUBlY2hvICI+Pj4gU2FtcGxlIGluIC91c3Ivc2hhcmUvZXhhbXBsZXMk KENPTkZJR0NGRykiCglAZWNobyAiIgoJQGVjaG8gImphaWwgICAgICAgPT0gY3Jl YXRlIGphaWwiCglAZWNobyAicmNjb25mICAgICA9PSBjcmVhdGUgcmMuY29uZiBm b3Igc3RhcnQgamFpbHMiCglAZWNobyAiZXRjY29uZmlnICA9PSBjcmVhdGUgcmMu Y29uZiBmb3IgamFpbHMgYW5kIGNvcHkgZmlsZSIKCUBlY2hvICJzaG93Y29uZmln ID09IHNob3cgaW5mb3JtYXRpb24gZm9yIGphaWwuY29uZiIKCmphaWw6Ci5pZiAk e0pMSVNUUn0gIT0gIiIgfHwgJHtKTElTVFJ9ICE9ICIiIHx8ICR7SkxJU1ROfSAh PSAiIgouZm9yIF9yb290ZGlyIGluICQoSkxJU1RSKQouIGlmICFleGlzdHMoJHtf cm9vdGRpcn0pCglAZWNobyAiPj5TVEFHRSAxIC0gQ3JlYXRpbmcgUk9PVERJUjog KCR7X3Jvb3RkaXJ9KSIKCUBta2RpciAtcCAke19yb290ZGlyfQouIGVuZGlmCiMK I0NQSU8gQkFTRUpBSUwgCiMKCUBybSAtcmYgJChUTVBESVIpL2phaWwuKiAJCglA VE1QRklMRV8wMT1gbWt0ZW1wICQoVE1QRElSKS9qYWlsLlhYWFhYWGAgfHwgZXhp dCAxICYmIFwKCWVjaG8gIj4+U1RBR0UgMiAtIFBvcHVsaW5nIEphaWw6ICgke19y b290ZGlyfSkiIC0gJCR7VE1QRklMRV8wMX0gO1wKCWNkICQoRElTVEJBU0UpIDsg ZmluZCAuIC1kZXB0aCAtcHJpbnQwIHxjcGlvIC0tbnVsbCAtcHZkbSAke19yb290 ZGlyfSA+JCR7VE1QRklMRV8wMX0gIDI+JjEgO1wKCXJtIC1yZiAke19yb290ZGly fS9NYWtlZmlsZQoKLmVuZGZvcgoJQGVjaG8gICIiCglAZWNobyAgIkZvciBjcmVh dGUgcmMuY29uZiB1c2UgdGFyZ2V0IChyY29uZikiCglAZWNobyAgIiIKLmVsc2UK CUBlY2hvICI+Pj4gUGxlYXNlIGRlZmluZSBqYWlsIFRFTVBMQVRFLCBzZWUgamFp bC5jZmcoOCkiCi5lbmRpZgoKcmNvbmY6CiMKI0NSRUFURSBSQy5DT05GIEZPUiBT VEFSVCBKQUlMCiMKCUBlY2hvICQoSkxJU1ROKSB8IHRyICcgJyAnXG4nIHwgXAoJ d2hpbGUgcmVhZCBfam5hbWU7IGRvIFwKCQkJSlJPT1REPWBncmVwIF5qYWlsXyQk e19qbmFtZX1fcm9vdGRpciAkKENPTkZJR0NGRykgMj4vZGV2L251bGwgfGN1dCAt ZD0gLWYyIHwgc2VkIC1lICdzLyIvL2cnYCA7IFwKCQkJSklQPWBncmVwIF5qYWls XyQke19qbmFtZX1faXAgICQoQ09ORklHQ0ZHKSAyPi9kZXYvbnVsbCB8Y3V0IC1k PSAtZjIgfCBzZWQgLWUgJ3MvIi8vZydgIDsgXAoJCQlKRkRRTj1gZ3JlcCBeamFp bF8kJHtfam5hbWV9X2hvc3RuYW1lICQoQ09ORklHQ0ZHKSAyPi9kZXYvbnVsbCB8 Y3V0IC1kPSAtZjIgfCBzZWQgLWUgJ3MvIi8vZydgIDsgXAoJCQkJZWNobyBqYWls XyQke19qbmFtZX1fcm9vdGRpcj1cIiQke0pST09URH1cIiA7XAoJCQkJZWNobyBq YWlsXyQke19qbmFtZX1faXA9XCIkJHtKSVB9XCIgO1wKCQkJCWVjaG8gamFpbF8k JHtfam5hbWV9X2hvc3RuYW1lPVwiJCR7SkZEUU59XCIgO1wKICAgIAkgCQllY2hv IGphaWxfJCR7X2puYW1lfV9leGVjX3N0YXJ0PVwiJChleGVjX3N0YXJ0KVwiIDtc CiAgICAgCQkJZWNobyBqYWlsXyQke19qbmFtZX1fZXhlY19zdG9wPVwiJChleGVj X3N0b3ApXCIgO1wKCQkgICAgCWVjaG8gamFpbF8kJHtfam5hbWV9X2RldmZzX2Vu YWJsZT1cIiQoZGV2ZnNfZW5hYmxlKVwiIDtcCiAgICAgCQkJZWNobyBqYWlsXyQk e19qbmFtZX1fZmRlc2Nmc19lbmFibGU9XCIkKGZkZXNjZnNfZW5hYmxlKVwiIDtc CgkgICAgIAkJZWNobyBqYWlsXyQke19qbmFtZX1fcHJvY2ZzX2VuYWJsZT1cIiQo cHJvY2ZzX2VuYWJsZSlcIiA7XAogICAgCSAJCWVjaG8gamFpbF8kJHtfam5hbWV9 X21vdW50X2VuYWJsZT1cIiQobW91bnRfZW5hYmxlKVwiIDtcCiAgICAgCQkJZWNo byBqYWlsXyQke19qbmFtZX1fZGV2ZnNfcnVsZXNldD1cIiQoZGV2ZnNfcnVsZXNl dClcIiA7XAogICAgIAkJCWVjaG8gamFpbF8kJHtfam5hbWV9X2ZzdGFiPVwiL2V0 Yy9mc3RhYi4kJHtfam5hbWV9XCIgO1wKICAgICAJCQllY2hvIGphaWxfJCR7X2pu YW1lfV9mbGFncz1cIiQoZmxhZ3MpXCIgO1wKCQkJCWVjaG8gIiIgO1wKCWRvbmUK CmV0Y2NvbmZpZzoKIwojQ1JFQVRFIFJDLkNPTkYgRk9SIEpBSUwKIwoJQGVjaG8g Ij4+U1RBR0UgMSAtIENyZWF0aW5nIFJDLkNPTkYgZm9yIEpBSUwiCglAZWNobyAk KEpMSVNUTikgfCB0ciAnICcgJ1xuJyB8IFwKCXdoaWxlIHJlYWQgX2puYW1lOyBk byBcCgkJCUpST09URD1gZ3JlcCAiXmphaWxfJCR7X2puYW1lfV9yb290ZGlyIiAk KENPTkZJR0NGRykgMj4vZGV2L251bGwgfGN1dCAtZD0gLWYyIHwgc2VkIC1lICdz LyIvL2cgOyBzLyAvL2cnYCA7IFwKCQkJSklQPWBncmVwIF5qYWlsXyQke19qbmFt ZX1faXAgICQoQ09ORklHQ0ZHKSAyPi9kZXYvbnVsbCB8Y3V0IC1kPSAtZjIgfCBz ZWQgLWUgJ3MvIi8vZydgIDsgXAoJCQlleGVjIDM8JjAgO1wKCQkJZXhlYyA+ICQk e0pST09URH0vZXRjL3JjLmNvbmY7XAogCQkJZWNobyAic2VuZG1haWxfZW5hYmxl PVwiJChzZW5kbWFpbF9lbmFibGUpXCIiICAgIDtcCgkgICAJCWVjaG8gImluZXRk X2ZsYWdzPVwiJChpbmV0ZF9mbGFncykgJCR7SklQfVwiIiAgICA7XAogICAgCQll Y2hvICJycGNiaW5kX2VuYWJsZT1cIiQocnBjYmluZF9lbmFibGUpXCIiICAgICAg O1wKICAgIAkJZWNobyAibmV0d29ya19pbnRlcmZhY2VzPVwiJChuZXR3b3JrX2lu dGVyZmFjZXMpXCIiICAgO1wKCQkJZXhlYyAwPCYzIDtcCgkJCWV4ZWMgMzwmLSA7 XAoJZG9uZQoJQGVjaG8gIj4+U1RBR0UgMiAtIENvcGluZyBhcmNoaXZlcyB0byBK YWlsIgoJQGVjaG8gJChKTElTVE4pIHwgdHIgJyAnICdcbicgfCBcCgl3aGlsZSBy ZWFkIF9qbmFtZTsgZG8gXAoJCQlKUk9PVEQ9YGdyZXAgIl5qYWlsXyQke19qbmFt ZX1fcm9vdGRpciIgJChDT05GSUdDRkcpIDI+L2Rldi9udWxsIHxjdXQgLWQ9IC1m MiB8IHNlZCAtZSAncy8iLy9nIDsgcy8gLy9nJ2AgOyBcCgkJCWZvciBfZmlsZXMg aW4gYGVjaG8gJChjb3B5X3RvX2phaWwpIHwgdHIgJyAnICdcbidgOyBkb1wKCQkJ CWNwICQke19maWxlc30gJCR7SlJPT1REfS8kJHtfZmlsZXN9IDtcCgkJCWRvbmUg OyBcCglkb25lCgpzaG93Y29uZmlnOgoKCUBlY2hvICI+PlNUQUdFIDEgLSBTZWFy Y2ggaW5mb3JtYXRpb24gaW4gJChDT05GSUdDRkcpIgoJQGVjaG8gIiIKCUBlY2hv ICI+PlNZU1RFTSBSQy5DT05GIFRlbXBsYXRlIEF0dWFsOiIKCUBlY2hvICIiCglA ZWNobyAiamFpbF9YWFhYWFhYX2V4ZWNfc3RhcnQ9XCIkKGV4ZWNfc3RhcnQpXCIi CglAZWNobyAiamFpbF9YWFhYWFhYX2V4ZWNfc3RvcD1cIiQoZXhlY19zdG9wKVwi IiAKCUBlY2hvICJqYWlsX1hYWFhYWFhfZGV2ZnNfZW5hYmxlPVwiJChkZXZmc19l bmFibGUpXCIiCglAZWNobyAiamFpbF9YWFhYWFhYX2ZkZXNjZnNfZW5hYmxlPVwi JChmZGVzY2ZzX2VuYWJsZSlcIiIKCUBlY2hvICJqYWlsX1hYWFhYWFhfcHJvY2Zz X2VuYWJsZT1cIiQocHJvY2ZzX2VuYWJsZSlcIiIKCUBlY2hvICJqYWlsX1hYWFhY WFhfbW91bnRfZW5hYmxlPVwiJChtb3VudF9lbmFibGUpXCIiCglAZWNobyAiamFp bF9YWFhYWFhYX2RldmZzX3J1bGVzZXQ9XCIkKGRldmZzX3J1bGVzZXQpXCIiCglA ZWNobyAiamFpbF9YWFhYWFhYX2ZzdGFiPVwiL2V0Yy9mc3RhYi5YWFhYWFhYXCIi CglAZWNobyAiamFpbF9YWFhYWFhYX2ZsYWdzPVwiJChmbGFncylcIiIKCUBlY2hv ICIiCglAZWNobyAiPj5KQUlMIFJDLkNPTkYgVGVtcGxhdGUgQXR1YWw6IgoJQGVj aG8gIiIKCUBlY2hvICJzZW5kbWFpbF9lbmFibGU9XCIkKHNlbmRtYWlsX2VuYWJs ZSlcIiIgICAKCUBlY2hvICJpbmV0ZF9mbGFncz1cIiQoaW5ldGRfZmxhZ3MpICQk e0pJUH1cIiIgCglAZWNobyAicnBjYmluZF9lbmFibGU9XCIkKHJwY2JpbmRfZW5h YmxlKVwiIgoJQGVjaG8gIm5ldHdvcmtfaW50ZXJmYWNlcz1cIiQobmV0d29ya19p bnRlcmZhY2VzKVwiIgoJQGVjaG8gIiIKCUBlY2hvICI+PkZpbGVzIHRvIEphaWw6 IgoJQGVjaG8gIiIKCUBlY2hvICIkKGNvcHlfdG9famFpbCkiCglAZWNobyAiIgoJ QGVjaG8gIj4+SmFpbHMgQ29uZmlnOiIKCUBlY2hvICIiCglAZWNobyAkKEpMSVNU TikgfCB0ciAnICcgJ1xuJyB8IFwKCXdoaWxlIHJlYWQgX2puYW1lOyBkbyBcCgkJ CUpST09URD1gZ3JlcCAiXmphaWxfJCR7X2puYW1lfV9yb290ZGlyIiAkKENPTkZJ R0NGRykgMj4vZGV2L251bGwgfGN1dCAtZD0gLWYyIHwgc2VkIC1lICdzLyIvL2cg OyBzLyAvL2cnYCA7IFwKCQkJSklQPWBncmVwIF5qYWlsXyQke19qbmFtZX1faXAg ICQoQ09ORklHQ0ZHKSAyPi9kZXYvbnVsbCB8Y3V0IC1kPSAtZjIgfCBzZWQgLWUg J3MvIi8vZydgIDsgXAogCQkJZWNobyAiTkFNRSAgICA9ICQke19qbmFtZX0iIDtc CgkJCWVjaG8gIlJPT1RESVIgPSAkJHtKUk9PVER9IiAgO1wKCQkJZWNobyAiSVAg ICAgICA9ICQke0pJUH0iICAgICA7XAoJCQllY2hvICIiCTtcCglkb25lCg0K ------------z4pw9qViLyJoxAfGvOdut6-- _______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html