Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Dec 2015 11:33:58 -0800
From:      Aleksandr Miroslav <alexmiroslav@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: best practice for locking down private jail?
Message-ID:  <CACcSE1ytnqK_e8TBj_VGvznaPs+1q6sh0RsFCHQT9Tpxqk7jqw@mail.gmail.com>
In-Reply-To: <20151210150224.18d842126bf67bb0b07dcdf6@sohara.org>
References:  <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org> <CACcSE1zhMLnbo+bOixOM_ZLBpP+szbmzfFH_12v36ezy34fs9g@mail.gmail.com> <20151210144007.GA23555@fanty-a.tf.uni-kiel.de> <20151210150224.18d842126bf67bb0b07dcdf6@sohara.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Dec 10, 2015 at 7:02 AM, Steve O'Hara-Smith <steve@sohara.org> wrote:
> > I think the cron job isn't needed. Create a directory outside the jails
> > and mount it as nullfs and 'rw' into the upload jail and 'ro' into the
> > web server jail. We do this on a zfs basis.
>
> That works of course, but loses the opportunity to verify the files
> before putting them online.

Exactly. The situation I'm trying to avoid is where someone compromises the key
and credentials of the uploader and is able to accesses the "upload"
jail. If I sanitize
the files before copying them to the "web" jail, just about the only
thing they will be
able to do is put up audio files of the form lecture-001.mp3,
lecture-002.mp3, and so one.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CACcSE1ytnqK_e8TBj_VGvznaPs+1q6sh0RsFCHQT9Tpxqk7jqw>