Requesting advice on Jail technique.

[albi]

On Tue, 13 Sep 2005 14:43:00 +0100
Elliot Crosby-McCullough <freebsd at xianshi.org> wrote:


> 	Obviously jails are a good start, but my main concern is whether to go 
> for one large jail for all the restricted users or one small jail per user.
-- cut --
> 	The accounts themselves will be supremely limited.  No root access, 
> just basics such as ssh, perhaps telnet, mutt etc.  I do not want the 
> users to have the ability to run any scripts, so perl etc is out, but I 
> suppose the NAT firewall will be a fallback if any compiled programs are 
> uploaded.
> 
> 	Each user account is likely to have email/gpg etc but I'm happy to 
> control that from the host system with virtual users and simply deliver 
> into the jail.  It is not necessary for the jails to run any services, 
> except the ability to SSH in.

you could follow the ideas i've used, http://scii.nl/~albi/BSD/new.txt
(this is part of an "unfinished howto")

the idea is that you make a build-jail to build all the ports,
the /bin /sbin /usr/bin /usr/sbin get mounted via nullfs from the host,
which basically means that you only have to do the "make installworld"
once, only for the host-system

the build-jail software then get mounted (as much or less if you like)
from the jails, and of course you can limit their access by changing
permissions on the /bin dirs etc. or just giving them their needed
binaries hard-linked in their ~/bin

you can try the new chroot-option from the latest openssh-portable for
them (and disable the base-ssh), although i have personally not played
with that option yet

making separate ssh-jails for them is possible with ip_aliases, no real
ip's needed

HTH

-- 
grtjs, albi
gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import