I have a workaround for this, I'm curious about parent-child permission usefulness (use cases).
I've been playing around with hierarchal jails. I have a toy problem set up: 1 host + 4 jails. Jails: (1) Firewall/Gateway, (2) SSH Jump Server, (3) nginx Reverse Proxy, (4) Web Server. The Host is not important. Firewall is the front door between WAN<=>LAN. Incoming SSH and Web requests go to "DMZ" with Jump Server and Reverse Proxy, respectively. From those, SSH can go back to Firewall or Web Server and Web Requests go to Web Server.
I've set this up with all Jails as peers and it works. I wanted to reconfigure the Firewall as a parent jail and the Jump Server and the Reverse Proxy as its child jails. It took a bit to get started because getting the parent jail permissions just right for thin jails requires mount permissions. Now that I have that working, I realized it appears that child jails must have the exact same device permissions as their parents. Is there are way to circumscribe children device settings from their parents?
If I want to fine tune the permission structure of a jail (for example, to limit what someone can do logged into the ssh jump server or if they've broken out of the reverse proxy), I can always make it a peer, I guess. OTOH, if a web server is backed by a database, that database could be a child jail, further isolating it from the outside and also limiting the DB's reach. These seem like good isolation strategies, but they aren't possible if child jail device permissions can't be isolated.
Am I mistaken in my understanding of how child jail permissions work? Are parent-child jails a nice idea in theory, but don't get much real world implementations?
Thanks.
I've been playing around with hierarchal jails. I have a toy problem set up: 1 host + 4 jails. Jails: (1) Firewall/Gateway, (2) SSH Jump Server, (3) nginx Reverse Proxy, (4) Web Server. The Host is not important. Firewall is the front door between WAN<=>LAN. Incoming SSH and Web requests go to "DMZ" with Jump Server and Reverse Proxy, respectively. From those, SSH can go back to Firewall or Web Server and Web Requests go to Web Server.
I've set this up with all Jails as peers and it works. I wanted to reconfigure the Firewall as a parent jail and the Jump Server and the Reverse Proxy as its child jails. It took a bit to get started because getting the parent jail permissions just right for thin jails requires mount permissions. Now that I have that working, I realized it appears that child jails must have the exact same device permissions as their parents. Is there are way to circumscribe children device settings from their parents?
If I want to fine tune the permission structure of a jail (for example, to limit what someone can do logged into the ssh jump server or if they've broken out of the reverse proxy), I can always make it a peer, I guess. OTOH, if a web server is backed by a database, that database could be a child jail, further isolating it from the outside and also limiting the DB's reach. These seem like good isolation strategies, but they aren't possible if child jail device permissions can't be isolated.
Am I mistaken in my understanding of how child jail permissions work? Are parent-child jails a nice idea in theory, but don't get much real world implementations?
Thanks.
Code:
# PERMISSIONS FOR FIREWALL JAIL
allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 11;
# PERMISSIONS FOR A PARENT
allow.mount;
allow.mount.devfs;
allow.mount.nullfs;
enforce_statfs=1;
children.max=2;
Code:
# PERMISSIONS FOR A CHILD JAIL
allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 0; # *** this must be zero and inherits parent device permissions