Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Dec 2010 15:56:44 +0300
From:      Boris Samorodov <bsam@ipt.ru>
To:        "Dave" <dave@g8kbv.demon.co.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Noob Jail question.
Message-ID:  <47419283@serv3.int.kfs.ru>
In-Reply-To: <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk> (dave@g8kbv.demon.co.uk's message of "Wed\, 15 Dec 2010 23\:32\:20 -0000")
References:  <20101215120036.DFC371065849@hub.freebsd.org> <4D095004.5513.2EF1E210@dave.g8kbv.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Dave" <dave@g8kbv.demon.co.uk> writes:

> I've been reading the FreeBSD Manual (a dangerous thing to do during 
> lunchtimes!) relating to Jails.  Other than making my head spin, I'm 
> finding it a tad dificult finding out just what you can/cant do with a 
> Jail.  Mainly, because I'm not familiar with a lot of the terms used, and 
> though the man pages are no doubt correct as a reference, they don't 
> "explain" it well, in as much as how to use it, well in my addled mind at 
> the moment.
>
> I think I'd like to run Hiawatha in a Jail, as it seems "the right thing 
> to do" with something that will be exposed to the www.  
> (Comments/advice?)
>
> But, how do I arrange it to safely get (read only) access to the website 
> data, without preventing the FTPD service from having access to update 
> that data.  FTPD will only be reachable from LAN side of the main gateway 
> router, Hiawatha will have an outside world port forwarded to it by the 
> router.
>
> What I'm asking I guess, is..  Can a jail'd app, reach outside the jail 
> in "read only" mode.   (I suspect, maybe?)   Or can an app outside the 
> jail, drop stuff off inside the jail?  (For whatever reason, I suspect 
> not?)
>
> If anyone understands what the heck I'm blathering on about, please 
> explain it to me, as I think I've lost the plot.
>
> Comments, advice, brickbats etc?

You may try to use sysutils/ezjail to install/manage/etc jails.
Using ezjail-admin is quite easy. Ezjails are realy light (they
use readonly mount_nullfs to a basejail rather then real filesystems).
Then you may consider using one jail for FTPD with write access and
an other jail for HTTPD server with read-only access (say, readonly
mount_nullfs) to those written by FTPD files/filesystems.

-- 
WBR, bsam

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47419283>