What processes belong in a jail?

mroussin51 · #1 July 31st, 2012, 07:22

Hello and Greetings,

I have a box hosting a single website. I installed httpd with no jail. I have since learned that I should be running it inside a jail. I have read about jails and I am confident I can configure one. Thanks to obscurity, so far I have had no problems.

I am planning to upgrade to a better box so I thought I would do it right this time. I will be adding DNS Server and MTA to its duties. I have been reading about chroot and jails in my spare time and have answered all but a few questions.

1. What processes belongs in a jail?

2. How are hundreds of users quarantined on machines hosting web sites.

Thanks,

Mike

anomie · #2 July 31st, 2012, 22:49

Each 'net-facing daemon in its own FreeBSD Jail is great, where possible/practical. The idea is: if one service suffers any form of compromise, it will likely be more difficult for it to affect a) other services; b) the host system.

Not sure I understand your second question. What are you trying to accomplish? What sorts of users? (Shell accounts?)

mroussin51 · #3 August 1st, 2012, 04:26

Thank you for the reply Anomie.

1. Does BIND belong in a jail too?

2. Should folks that I am web hosting for get a shell or should they just get ftp access to their user-land space? If they do get a shell how are they kept from doing things and seeing things they should not? If they don't get a shell how do they perform administrative tasks on their user-land directories and files? Without bugging the administrator.

Chroot and jails are common conventions used to control users on a number of modern commercial systems. What is the standard practice for user control on FreeBSD. It seems that I will find the answer is a combination of chroot and MAC.

For now I am seeking a book that covers these topics in detail.

regards,

Mike

kpa · #4 August 1st, 2012, 09:02

1. The default setup of BIND is chrooted in FreeBSD. That is already quite secure but if I was hosting a BIND DNS server in a high risk environment I would definitely put it into a jail of its own and also keep the chroot setup.

mroussin51 · #5 August 1st, 2012, 22:41

Thanks kpa

So named should be inside a jail and chroot is used in the jail. That is chroot inside of a chroot. I was confused about that because I had read that named has an automatic chroot convention and I also read that DNS Server should be in a jail. I now understand that it is both.

Wow, I am going to continue to study. Thanks FreeBSD for making it possible to learn so many different concepts and thanks to the FreeBSD community of experts that share with the rest of us.

I am still wondering how to sandbox users. But for now I am going to learn to build and configure jails for my high risk services to run within.

Thanks again!

anomie · #6 August 1st, 2012, 23:26

Quote:

Originally Posted by mroussin51

Should folks that I am web hosting for get a shell or should they just get ftp access to their user-land space? If they do get a shell how are they kept from doing things and seeing things they should not? If they don't get a shell how do they perform administrative tasks on their user-land directories and files? Without bugging the administrator.

What exact tasks do the end users need to be able to perform? If they need to transfer files to/from the server, then SFTP may be a good candidate.

If they legitimately need to work (e.g. edit files, execute programs) on the server, then they may need a shell.

OpenSSH itself can be placed inside a FreeBSD Jail such that end users don't get access to the host system, or to other jails. You can control whether they have access to each others' files through standard filesystem permissions.

Quote:

Originally Posted by mroussin51

For now I am seeking a book that covers these topics in detail.

Though it could probably use a new edition release at this point (it was written for FreeBSD 7), I recommend: https://www.michaelwlucas.com/nonfic...solute-freebsd

NewGuy · #7 August 2nd, 2012, 22:17

I believe a good general rule is any network service should be placed inside a jail. As for your users, I recommend giving them FTP and SFTP access only. For web hosting there really isn't any reason to give them shell access.

mroussin51 · #8 August 3rd, 2012, 05:53

Anomie and NewGuy,

Thanks you two!

It is a lot more clear to me now. I should be able to answer further questions through trial and error.

Best regards,

Mike

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] cpuset For all processes PLEASE HELP	DigiSoft	General	13	October 17th, 2012 23:20
apache processes	Jeff_8420	Web & Network Services	4	October 13th, 2010 07:30
Log swapping processes	mfeldheim	General	4	October 1st, 2010 05:16
list all processes using more than 10% cpu	ccc	Userland Programming & Scripting	2	September 13th, 2010 02:29
[Solved] [Openbox] how are you gentlemen all your base OS belong to us	Dru	Other Window Managers	12	December 16th, 2009 23:12

The Following User Says Thank You to anomie For This Useful Post:
mroussin51 (August 1st, 2012)

The Following User Says Thank You to anomie For This Useful Post:
mroussin51 (August 3rd, 2012)

The Following User Says Thank You to NewGuy For This Useful Post:
mroussin51 (August 3rd, 2012)