Block access to jail folder for shell users (ezjail created)

Dmitry D

Dmitry D

Hi!

How I can correctly block access for host shell users to /usr/jail/jailname folder structure?
Jail created by ezjail.
Thank you!

Dmitry.
 
Not sure these are necessarily the best ways, but I can think of options:

1. If you use /usr/jail as the basis for all your jails, you can chown root:wheel /usr/jail && chmod 700 /usr/jail; I believe the jails will still start and operate normally, but only root can access the directory.

2. If you need some users to access jails, create a "jail" group, add users that need to access the directories to said group, and do chown root:jail /usr/jail && chmod 750 /usr/jail

3. Just explicitly block regular users. Similar to #2, add all your users to some generic group (say users). If you have NFSv4 ACLs on your file system (default on ZFS, not default but an option on UFS), run setfacl -m g:users:full_set::deny /usr/jail

I'd probably pick option 1 :)
 
chungy said:
1. If you use /usr/jail as the basis for all your jails, you can chown root:wheel /usr/jail && chmod 700 /usr/jail; I believe the jails will still start and operate normally, but only root can access the directory.
Click to expand...
Thank you!
I used this way :)
 
SKull said:
You're doing jails wrong.
Don't give them host access at all. Give em a jail.
Click to expand...
I'd basically agree for new installs, but especially if you're integrating jails into a pre-existing environment, you'll probably have a mix of stuff managed on jails versus the host. Nothing wrong with taking some security precautions in that scenario.

FreeBSD gives you a lot of ways to manage your systems.
 
You must log in or register to reply here.
Back
Top