Hello,
I use different jails for nearly each network service I have to privide:
httpd, smtp/pop3, squid, log collector.
It's quite difficult to build each particular jail with those programs
and corresponding libraries which will be needed in it. That is why I
made the following simple script to make a jail and to add needed
programs to it (you will have to change the absolute pathes):
#!/bin/sh
docommand() {
LDD=/usr/bin/ldd
MD=/bin/mkdir
TMP=`which $TGT`
DP=`dirname $TMP`
DF=$DSTDIR$DP/`basename $TMP`
TMPSTAT=`stat $TMP | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DP ] && [ ! -f $DF ]
then
cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
if ( test "$TMPSTAT" != "$DFSTAT" )
then
echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
fi
else
$MD -p $DSTDIR$DP && cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
if ( test "$TMPSTAT" != "$DFSTAT" )
then
echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
fi
fi
for aa in `ldd $TMP | grep -v ":" | awk '{ print $3 }'`
do
DRNAME=`dirname $aa`
DF1=$DSTDIR$DRNAME/`basename $aa`
AASTAT=`stat $aa | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DRNAME ] && [ ! -f $DF1 ]
then
cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
if ( test "$AASTAT" != "$DF1STAT" )
then
echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
fi
else
$MD -p $DSTDIR$DRNAME && cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
if ( test "$AASTAT" != "$DF1STAT" )
then
echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
fi
fi
done
};
echo "where you want base dir to be?"
read DSTDIR
echo $DSTDIR
if ( test "$DSTDIR" = "" )
then
DSTDIR=/usr/home
echo $DSTDIR
# elseif [ ! -d $DSTDIR ]
# then
# mkdir -p $DSTDIR
else
if [ ! -d $DSTDIR ]
then
mkdir -p $DSTDIR
fi
fi
echo "how do you want to call this jail?"
read JDIR
echo $JDIR
if ( test "$JDIR" != "" ) then DSTDIR=$DSTDIR/$JDIR; fi;
if ( test "$JDIR" = "" )
then
JDIR=10.10.10.10
DSTDIR=$DSTDIR/$JDIR
fi
echo $JDIR
if [ ! -d $DSTDIR ]
then
mkdir -p $DSTDIR
echo "DEST: $DSTDIR"
mkdir $DSTDIR/dev && echo "Please copy devices!!!"
cp /dev/null $DSTDIR/dev/
echo 'Write "yes" after'
read y;
if ( test "$y" != "yes" ); then exit 0; fi
# for iiii in fd net kmem log mem null random stderr stdin stdout
urandom zero
# do
# cp /dev/$iiii $DSTDIR/$JDIR/dev/
# done
mkdir $DSTDIR/bin
mkdir $DSTDIR/etc
mkdir $DSTDIR/lib
mkdir $DSTDIR/libexec && cp /libexec/ld-elf.so.1 $DSTDIR/libexec/
mkdir $DSTDIR/home
mkdir $DSTDIR/proc
mkdir $DSTDIR/tmp
mkdir $DSTDIR/usr
mkdir $DSTDIR/var
mkdir $DSTDIR/var/run
cd $DSTDIR && ln -s dev/null ./kernel
for TGT in sh mail syslogd newsyslog cron
do
docommand;
done
fi
echo "what programs d'you want to copy?"
read TGT
echo $TGT
if ( test "$TGT" = "" )
then
exit 0;
else docommand;
fi
exit 0;
Another one to see the processes in different jails:
IFS='
'
mount -t procfs proc /proc
ii=1
iiiii=5
for i in `ps -ajxfw | grep "J" | grep -v grep`
do
uid=`echo $i|awk '{ print $1 }'`
pid=`echo $i|awk '{ print $2 }'`
pnam=`echo $i|awk '{ print $10 }'`
if (test $ii -ne 1) then
iiii=`readlink /proc/$pid/file | awk -F'/' '{ print $4 }'`
iii=`echo $iiii | awk -F'.' '{ print $4 }'`
echo "ii= $iii"
exit 0;
if (test "$iii" = "buk") then
iiiii=2
fi
if (test "$iii" = "198") then
iiiii=4
fi
if (test "$iii" = "220") then
iiiii=5
fi
if (test "$iii" = "222") then
iiiii=6
fi
if ( test "$1" = x) then
echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\
`cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid\
`lsof -nn -p ${pid} | grep "IPv4" | awk '{ print $8, $9, $12 }'`
else
# echo -e "\033[1;1;42m$iiii, $pid:\033[2;0m"\
echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\
`cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid
fi
fi
ii=`expr $ii + 1`
done
umount procfs
ate: Thu, 22 Sep 2005 17:51:02 -0700
From: Malachi de ?lfweald <[EMAIL PROTECTED]>
Subject: Re: Requesting advice on Jail technique.
To: [EMAIL PROTECTED]
Cc: Elliot Crosby-McCullough <[EMAIL PROTECTED]>,
[email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
I am thinking at this point what I am going to try to do is build a jail
skeleton, then use unionfs to mount on top of that... so in theory, I could
save a LOT of space while at the same time giving them pretty complete jails
(one per domain).
Malachi
On 9/13/05, Frank Mueller - emendis GmbH <[EMAIL PROTECTED]> wrote:
Hi there,
if you have enough system resources I would recommend using seperate
jails for every user.
All u have to keep in mind is that you won't be able to provide some
services (SMTP, POP, IMAP, usw.) more than once for the whole system
because they need a predefined port (25, 110, 443, usw.).
Some other services, like ssh u can manage through port forwarding, http
through virtual hosting, etc.
Separate jails make it much easier to keep track of activities.
It all depends on what applications the user should be able to use.
Greetz,
Ice
Elliot Crosby-McCullough schrieb:
> Dear all,
>
> I will shortly be creating a public service on a private box that
> will include shell access to untrusted users and would like your opinion
> on the best way to go about this.
>
> Obviously jails are a good start, but my main concern is whether to
> go for one large jail for all the restricted users or one small jail per
> user.
>
> I do not have a wealth of real IPs at my disposal but accountability
> and security is paramount, therefore I would like to use local IPs
> through NAT (within the one box) whilst retaining the translation logs.
> I would like to use one local IP per user in order to keep track of
> activity. I can afford a few real IPs for the purpose.
>
> The accounts themselves will be supremely limited. No root access,
> just basics such as ssh, perhaps telnet, mutt etc. I do not want the
> users to have the ability to run any scripts, so perl etc is out, but I
> suppose the NAT firewall will be a fallback if any compiled programs are
> uploaded.
>
> Each user account is likely to have email/gpg etc but I'm happy to
> control that from the host system with virtual users and simply deliver
> into the jail. It is not necessary for the jails to run any services,
> except the ability to SSH in.
>
> As you can see there are factors pulling in both directions, what
> would you recommend as the best direction to go?
>
> Sincerely,
> Elliot Crosby-McCullough
> _______________________________________________
> [email protected] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
--
Frank Mueller
eMail: [EMAIL PROTECTED]
Mobil: +49.177.6858655
Fax: +49.951.3039342
emendis GmbH
Hofmannstr. 89, 91052 Erlangen, Germany
Fon: +49.9131.817361
Fax: +49.9131.817386
Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
Sitz Erlangen, Amtsgericht Fuerth HRB 10116
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
