Requesting advice on Jail technique.
albi
albi at scii.nl
Tue Sep 13 07:02:24 PDT 2005
On Tue, 13 Sep 2005 14:43:00 +0100
Elliot Crosby-McCullough <freebsd at xianshi.org> wrote:
> Obviously jails are a good start, but my main concern is whether to go
> for one large jail for all the restricted users or one small jail per user.
-- cut --
> The accounts themselves will be supremely limited. No root access,
> just basics such as ssh, perhaps telnet, mutt etc. I do not want the
> users to have the ability to run any scripts, so perl etc is out, but I
> suppose the NAT firewall will be a fallback if any compiled programs are
> uploaded.
>
> Each user account is likely to have email/gpg etc but I'm happy to
> control that from the host system with virtual users and simply deliver
> into the jail. It is not necessary for the jails to run any services,
> except the ability to SSH in.
you could follow the ideas i've used, http://scii.nl/~albi/BSD/new.txt
(this is part of an "unfinished howto")
the idea is that you make a build-jail to build all the ports,
the /bin /sbin /usr/bin /usr/sbin get mounted via nullfs from the host,
which basically means that you only have to do the "make installworld"
once, only for the host-system
the build-jail software then get mounted (as much or less if you like)
from the jails, and of course you can limit their access by changing
permissions on the /bin dirs etc. or just giving them their needed
binaries hard-linked in their ~/bin
you can try the new chroot-option from the latest openssh-portable for
them (and disable the base-ssh), although i have personally not played
with that option yet
making separate ssh-jails for them is possible with ip_aliases, no real
ip's needed
HTH
--
grtjs, albi
gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
More information about the freebsd-questions
mailing list