Date: Mon, 11 Mar 2002 13:25:59 +0300 (MSK) From: Dmitry Mottl <dima@BigKing.sinp.msu.ru> To: Joel Dinel <dinjo@touchtunes.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Chroot'ing Apache Message-ID: <Pine.BSF.4.43.0203111021290.19481-100000@BigKing.sinp.msu.ru> In-Reply-To: <20020310211308.A2087@sunder.touchtunes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi
On Sun, 10 Mar 2002, Joel Dinel wrote:
> A friend of mine and I are thinking about creating a script (or series
> of scripts) to automate as much as possible the work required to get a
> chroot'ed Apache server running on FreeBSD (including updating the source
> tree and building Apache from it).
>
> I'd like to get tips or 'heads up' from people who have experience with
> chroot'ing stuff in FreeBSD.
Think about jail(2)
First make alias on lo0:
/sbin/ifconfig lo0 alias 192.168.0.1/16
Prepare chrooted hierarhy -
mount all necessary directories from /usr with mount_union(8):
#!/bin/sh
JAIL_PREFIX=/jail
mount -t union -o ro /sbin $JAIL_PREFIX/sbin
mount -t union -o ro /bin $JAIL_PREFIX/bin
mount -t union -o ro /usr/sbin $JAIL_PREFIX/usr/sbin
mount -t union -o ro /usr/bin $JAIL_PREFIX/usr/bin
mount -t union -o ro /usr/include $JAIL_PREFIX/usr/include
mount -t union -o ro /usr/include $JAIL_PREFIX/usr/include
mount -t union -o ro /usr/lib $JAIL_PREFIX/usr/lib
mount -t union -o ro /usr/libdata $JAIL_PREFIX/usr/libdata
mount -t union -o ro /usr/libexec $JAIL_PREFIX/usr/libexec
mount -t union -o ro /usr/local $JAIL_PREFIX/usr/local
mount -t union -o ro /usr/obj $JAIL_PREFIX/usr/obj
mount -t union -o ro /usr/share $JAIL_PREFIX/usr/share
mount -t union -o ro /usr/X11R6/lib $JAIL_PREFIX/usr/X11R6/lib
mount -t procfs proc $JAIL_PREFIX/proc
or simply
mount -t union -o ro /sbin $JAIL_PREFIX/sbin
mount -t union -o ro /bin $JAIL_PREFIX/bin
mount -t union -o ro /usr/sbin $JAIL_PREFIX/usr/sbin
mount -t union -o ro /usr/bin $JAIL_PREFIX/usr/bin
mount -t union -o ro /usr $JAIL_PREFIX/usr
mount -t procfs proc $JAIL_PREFIX/proc
prepare /etc in /jail/etc
cp -R /etc /jail/etc
modify configuration scripts (rc.conf and /usr/local/etc/rc.d)
recompile kernel with
option IPFIREWALL_FORWARD
add firewall rule:
PUBLIC_IP=xxx.xxx.xxx.xxx
/usr/sbin/ipfw add fwd 192.168.0.1,80 tcp from any to $PUBLIC_IP 80
and if you want deny all outgoing traffic (with ipfw) from 192.168/24 not
from tcp/80, to prevent your users accessing Internet from jailed machine
and than do jail(2):
/usr/sbin/jail /home/jail JAILEDHOST 192.168.0.1 /etc/rc
You can also use NAT instead of ipfw's FWD
All software updates must be done outside jail.
Jail has no write permissions on /usr cause it mounts /usr in RO
--
Dmitry A. Mottl
Network Administrator
Skobeltsyn's Institute of Nuclear Physics
Moscow State Unversity
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.43.0203111021290.19481-100000>