Jails worth the extra hassle?

[Business_Woman]

Hi,

I have a question regarding the added security of service jails.
How much more secure is it? And as far as i understand, setting up service jails can be a bit tricky. Is the added security worth the added complexity?

And if the host system is compromised aren't you phucked anyways?


Thoughts?

 

[aragon]

And if the host system is compromised aren't you phucked anyways?

The point is that jailed services would prevent that from happening...

Worth/value are very subjective terms.

 

[Deleted member 2077]

Instead of setting up a jail for each service, why not just setup one jail and run sendmail, bind, etc all in that?

 

[anomie]

How much more secure is it?

Jails primarily buy you two things:

1. Another hurdle between your host system and a misconfiguration (or zero-day flaw) in one of your services
2. More time to detect and react to a security incident

Imagine an insidious flaw in Apache web server (not totally unthinkable) that allows an attacker to gain root-level access. If that happens on a host system, it's game over. If that happens within a jail, he has gained root within the jail. Assuming there is not also another "known" insidious flaw for FreeBSD jails at that moment, a competent sysadmin has time (hours? days?) to observe strange system behavior and react appropriately.

And as far as i understand, setting up service jails can be a bit tricky.

Virtually everything worth doing has a learning curve associated with it. There are some FreeBSD ports to help soften that learning curve. (I don't use 'em, but it seems like plenty of folks do.)

Is the added security worth the added complexity?

It's all about context. Is it worth it on your home workstation that sits behind a NAT device and has no listening services? Probably not. Is it worth it on the production servers whose well-being determines whether you get to eat and pay your mortgage? Most definitely.

And if the host system is compromised aren't you phucked anyways?

Key word: IF. That's precisely the point of jails.

 

[wonslung]

Hi,

I have a question regarding the added security of service jails.
How much more secure is it? And as far as i understand, setting up service jails can be a bit tricky. Is the added security worth the added complexity?

And if the host system is compromised aren't you phucked anyways?


Thoughts?

absolutely worth it.

you can mount your jails nullfs and readonly (for the base system) which adds an extra layer of security. jails are REALLY easy to use with the ezjails ports, and are EXCELLENT.


They allow you to do so much more...lets say you want to try something new, if you do it in a jail, and it goes wrong or gets entirely screwed up, you don't need to reinstall your system, just delete the jail.

Or, lets say you have a server and you want to let a friend run a website on it, you could give him a jail, and allow him root access to that jail and not worry that he borks your entire install.

I typically run multiple jails. On one system i have, i have a jail for mysql, then several jails for different websites, a jail for an email server, and a jail for irc.

I can allow different people access to different jails without having to worry about them accessing files they shouldn't see. It's wonderful.

 

[vand777]

Instead of setting up a jail for each service, why not just setup one jail and run sendmail, bind, etc all in that?

It is better to setup services in separate jails. For security purposes. In this case, a security breach will affect just one service.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html

Please read the above link to find out the fastest way to create and maintain jails.

 

[fwaggle]

If you're setting up your jails in such a way that the host can still be compromised somehow, then no, they're not worth it. Jails are not intended to protect the jail environment from the host environment, they're only intended to do the opposite.

They're another fence for an attacker to climb before they reach pay-dirt, with the hope being that'll you detect them before they get to the top of the last fence.

 

[silicium]

Jail disk cost

Can a jail be installed manually from mostly host files links without filling /usr/src and disk costs of buildworld and installworld ? Even ezjail seems to require them.

 

[SirDice]

Can a jail be installed manually from mostly host files links without filling /usr/src and disk costs of buildworld and installworld ? Even ezjail seems to require them.

Read jail(8):

In many cases this example would put far more in the jail than needed. In the other extreme case a jail might contain only one file: the executable to be run in the jail.

 

[wonslung]

Can a jail be installed manually from mostly host files links without filling /usr/src and disk costs of buildworld and installworld ? Even ezjail seems to require them.

you can use sysinstall for jails

 

[Slade]

This is almost like asking is locking your car worth the hassle? If you're parking your car at your house inside your garage then you probably don't need to lock it. But if you're in a mall parking lot you probably want to lock it.

Each person needs to evaluate their security situation and see if the added administration of jails is worth it. That being said using a tool like ezjail makes setup and maintenance very very easy. If you're running a web server with something like php I would say it's a VERY bad idea not to use a jail (google php exploit).

Even if your server is a single purpose tool (i.e. only a webserver) can you be sure that it will stay that way? What if someone uses a php exploit on your webserver to gain root access and starts replacing system binaries to log passwords or even replaces the compiler so that every port your build on your system has a backdoor compiled into it. So maybe what started as just a web server after a few months you decide to put your LDAP authentication on and now what. Even if you put LDAP in a jail your base system was compromised long ago. Now there are tools that you can use to monitor your base system but good security is about layers of protection. Using jails adds another layer and greatly increases security.

Also I found the the tools available to setup a jail in FreeBSD much easier than the tools available for setting up a chroot environment in linux. If you read the tutorials for chrooting a web server along with all the stuff it needs to run it starts to be a huge pain. Not to mention that everything you read about chroot also states that it's not a completely secure method and it can be broken out of. FreeBSD jails were implemented in part because chroot could be broken out of. Jails are much more secure than chroot.

I can get a jail up and running with a web server in a minute and installing and maintaining the jail is painless. The great thing about FreeBSD jails is that the "hassle" isn't in the maintenance it's in the learning how to setup and use them. Once you have that covered they are painless and a great tool to take advantage of.

 

[fwaggle]

What if someone uses a php exploit on your webserver to gain root access

If someone gets root from PHP, you have bigger issues and jails won't save you.

 

[UNIXgod]

If someone gets root from PHP, you have bigger issues and jails won't save you.

It's not like it's real root. If you have your jail backed up you can rm the exploited jail and pull in from the backup and patch the hole.

 

[Slade]

If someone gets root from PHP, you have bigger issues and jails won't save you.

Considering there are shared hosting companies that give people full root access to their jail I would be much less worried about a compromised php app inside a jail gaining root access vs an app in the host system. It really comes down to that there are some things you should be running at the very least chrooted but with freebsd you get jails so why not use them. Some apps automatically chroot themselves and don't depend on other apps to run so in that case it's probably not worth setting up a jail(check the security history of the app also). But if you're not using chroot or jails it's Russian Roulette.

 

[alp]

Hi,
I have a question regarding the added security of service jails.
How much more secure is it? And as far as i understand, setting up service jails can be a bit tricky. Is the added security worth the added complexity?

Security is not the only advantage of jails. For example, you want to upgrade your DB server. Your steps without jails: upgrading DBMS, exporting your data, importing your data. And if something goes wrong - reinstalling old version, restoring data, etc...
With jails - I copy existing jail to another place, use portupgrade, stop database, export and import data. If something goes wrong, I can always switch to old jail. And when you have one service on a system it's much more manageable (for example, only one service breaks in case of upgrade).
Security of the base system usually may be guaranteed by using minimum of services (in fact, the only process listening for outbound connections in base system is sshd) and private management network or firewall.

 

[danbi]

One things that make jails even more wonderful is ZFS.

Snapshots are instantaneous and do not consume extra space. New jails can be cloned from existing jails, with their entire environment (software/data). Experimenting with new jails/services is trivial and fast, without wasting resources. Online 'backup' and 'restore' of jail virtual machines is trivial.

Even the standard jail support infrastructure (in /etc/rc.d) is sufficient for automating much of the tasks.

There is one aspect of security -- if it is too complex to implement, it is often postponed, until the bad day come. With FreeBSD jails setting up sufficiently isolated, yet integrated environment is easy -- and so security increases. It's worth the time spent to learn.