Date: Mon, 11 Mar 2002 13:25:59 +0300 (MSK) From: Dmitry Mottl <dima@BigKing.sinp.msu.ru> To: Joel Dinel <dinjo@touchtunes.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Chroot'ing Apache Message-ID: <Pine.BSF.4.43.0203111021290.19481-100000@BigKing.sinp.msu.ru> In-Reply-To: <20020310211308.A2087@sunder.touchtunes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi On Sun, 10 Mar 2002, Joel Dinel wrote: > A friend of mine and I are thinking about creating a script (or series > of scripts) to automate as much as possible the work required to get a > chroot'ed Apache server running on FreeBSD (including updating the source > tree and building Apache from it). > > I'd like to get tips or 'heads up' from people who have experience with > chroot'ing stuff in FreeBSD. Think about jail(2) First make alias on lo0: /sbin/ifconfig lo0 alias 192.168.0.1/16 Prepare chrooted hierarhy - mount all necessary directories from /usr with mount_union(8): #!/bin/sh JAIL_PREFIX=/jail mount -t union -o ro /sbin $JAIL_PREFIX/sbin mount -t union -o ro /bin $JAIL_PREFIX/bin mount -t union -o ro /usr/sbin $JAIL_PREFIX/usr/sbin mount -t union -o ro /usr/bin $JAIL_PREFIX/usr/bin mount -t union -o ro /usr/include $JAIL_PREFIX/usr/include mount -t union -o ro /usr/include $JAIL_PREFIX/usr/include mount -t union -o ro /usr/lib $JAIL_PREFIX/usr/lib mount -t union -o ro /usr/libdata $JAIL_PREFIX/usr/libdata mount -t union -o ro /usr/libexec $JAIL_PREFIX/usr/libexec mount -t union -o ro /usr/local $JAIL_PREFIX/usr/local mount -t union -o ro /usr/obj $JAIL_PREFIX/usr/obj mount -t union -o ro /usr/share $JAIL_PREFIX/usr/share mount -t union -o ro /usr/X11R6/lib $JAIL_PREFIX/usr/X11R6/lib mount -t procfs proc $JAIL_PREFIX/proc or simply mount -t union -o ro /sbin $JAIL_PREFIX/sbin mount -t union -o ro /bin $JAIL_PREFIX/bin mount -t union -o ro /usr/sbin $JAIL_PREFIX/usr/sbin mount -t union -o ro /usr/bin $JAIL_PREFIX/usr/bin mount -t union -o ro /usr $JAIL_PREFIX/usr mount -t procfs proc $JAIL_PREFIX/proc prepare /etc in /jail/etc cp -R /etc /jail/etc modify configuration scripts (rc.conf and /usr/local/etc/rc.d) recompile kernel with option IPFIREWALL_FORWARD add firewall rule: PUBLIC_IP=xxx.xxx.xxx.xxx /usr/sbin/ipfw add fwd 192.168.0.1,80 tcp from any to $PUBLIC_IP 80 and if you want deny all outgoing traffic (with ipfw) from 192.168/24 not from tcp/80, to prevent your users accessing Internet from jailed machine and than do jail(2): /usr/sbin/jail /home/jail JAILEDHOST 192.168.0.1 /etc/rc You can also use NAT instead of ipfw's FWD All software updates must be done outside jail. Jail has no write permissions on /usr cause it mounts /usr in RO -- Dmitry A. Mottl Network Administrator Skobeltsyn's Institute of Nuclear Physics Moscow State Unversity To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.43.0203111021290.19481-100000>