What processes belong in a jail?

M

mroussin51

Hello and Greetings,

I have a box hosting a single website. I installed httpd with no jail. I have since learned that I should be running it inside a jail. I have read about jails and I am confident I can configure one. Thanks to obscurity, so far I have had no problems.

I am planning to upgrade to a better box so I thought I would do it right this time. I will be adding DNS Server and MTA to its duties. I have been reading about chroot and jails in my spare time and have answered all but a few questions.

1. What processes belongs in a jail?

2. How are hundreds of users quarantined on machines hosting web sites.

Thanks,

Mike
 
Each 'net-facing daemon in its own FreeBSD Jail is great, where possible/practical. The idea is: if one service suffers any form of compromise, it will likely be more difficult for it to affect a) other services; b) the host system.

Not sure I understand your second question. What are you trying to accomplish? What sorts of users? (Shell accounts?)
 
Revised questions

Thank you for the reply Anomie.

1. Does BIND belong in a jail too?

2. Should folks that I am web hosting for get a shell or should they just get ftp access to their user-land space? If they do get a shell how are they kept from doing things and seeing things they should not? If they don't get a shell how do they perform administrative tasks on their user-land directories and files? Without bugging the administrator.

Chroot and jails are common conventions used to control users on a number of modern commercial systems. What is the standard practice for user control on FreeBSD. It seems that I will find the answer is a combination of chroot and MAC.

For now I am seeking a book that covers these topics in detail.

regards,

Mike
 
1. The default setup of BIND is chrooted in FreeBSD. That is already quite secure but if I was hosting a BIND DNS server in a high risk environment I would definitely put it into a jail of its own and also keep the chroot setup.
 
Recap

Thanks kpa

So named should be inside a jail and chroot is used in the jail. That is chroot inside of a chroot. I was confused about that because I had read that named has an automatic chroot convention and I also read that DNS Server should be in a jail. I now understand that it is both.

Wow, I am going to continue to study. Thanks FreeBSD for making it possible to learn so many different concepts and thanks to the FreeBSD community of experts that share with the rest of us.

I am still wondering how to sandbox users. But for now I am going to learn to build and configure jails for my high risk services to run within.

Thanks again!
 
mroussin51 said:
Should folks that I am web hosting for get a shell or should they just get ftp access to their user-land space? If they do get a shell how are they kept from doing things and seeing things they should not? If they don't get a shell how do they perform administrative tasks on their user-land directories and files? Without bugging the administrator.
Click to expand...

What exact tasks do the end users need to be able to perform? If they need to transfer files to/from the server, then SFTP may be a good candidate.

If they legitimately need to work (e.g. edit files, execute programs) on the server, then they may need a shell.

OpenSSH itself can be placed inside a FreeBSD Jail such that end users don't get access to the host system, or to other jails. You can control whether they have access to each others' files through standard filesystem permissions.

mroussin51 said:
For now I am seeking a book that covers these topics in detail.
Click to expand...

Though it could probably use a new edition release at this point (it was written for FreeBSD 7), I recommend: https://www.michaelwlucas.com/nonfiction/absolute-freebsd
 
I believe a good general rule is any network service should be placed inside a jail. As for your users, I recommend giving them FTP and SFTP access only. For web hosting there really isn't any reason to give them shell access.
 
Solved

Anomie and NewGuy,

Thanks you two!

It is a lot more clear to me now. I should be able to answer further questions through trial and error.

Best regards,

Mike
 
You must log in or register to reply here.
Back
Top