Requesting advice on Jail technique.

Malachi de Ælfweald malachid at gmail.com
Thu Sep 22 17:51:03 PDT 2005


I am thinking at this point what I am going to try to do is build a jail
skeleton, then use unionfs to mount on top of that... so in theory, I could
save a LOT of space while at the same time giving them pretty complete jails
(one per domain).
 Malachi

 On 9/13/05, Frank Mueller - emendis GmbH <Frank.Mueller at emendis.de> wrote:
>
> Hi there,
>
> if you have enough system resources I would recommend using seperate
> jails for every user.
> All u have to keep in mind is that you won't be able to provide some
> services (SMTP, POP, IMAP, usw.) more than once for the whole system
> because they need a predefined port (25, 110, 443, usw.).
> Some other services, like ssh u can manage through port forwarding, http
> through virtual hosting, etc.
> Separate jails make it much easier to keep track of activities.
> It all depends on what applications the user should be able to use.
>
> Greetz,
>
> Ice
>
> Elliot Crosby-McCullough schrieb:
> > Dear all,
> >
> > I will shortly be creating a public service on a private box that
> > will include shell access to untrusted users and would like your opinion
> > on the best way to go about this.
> >
> > Obviously jails are a good start, but my main concern is whether to
> > go for one large jail for all the restricted users or one small jail per
> > user.
> >
> > I do not have a wealth of real IPs at my disposal but accountability
> > and security is paramount, therefore I would like to use local IPs
> > through NAT (within the one box) whilst retaining the translation logs.
> > I would like to use one local IP per user in order to keep track of
> > activity. I can afford a few real IPs for the purpose.
> >
> > The accounts themselves will be supremely limited. No root access,
> > just basics such as ssh, perhaps telnet, mutt etc. I do not want the
> > users to have the ability to run any scripts, so perl etc is out, but I
> > suppose the NAT firewall will be a fallback if any compiled programs are
> > uploaded.
> >
> > Each user account is likely to have email/gpg etc but I'm happy to
> > control that from the host system with virtual users and simply deliver
> > into the jail. It is not necessary for the jails to run any services,
> > except the ability to SSH in.
> >
> > As you can see there are factors pulling in both directions, what
> > would you recommend as the best direction to go?
> >
> > Sincerely,
> > Elliot Crosby-McCullough
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
>
> --
> Frank Mueller
> eMail: Frank.Mueller at emendis.de
> Mobil: +49.177.6858655
> Fax: +49.951.3039342
>
> emendis GmbH
> Hofmannstr. 89, 91052 Erlangen, Germany
> Fon: +49.9131.817361
> Fax: +49.9131.817386
>
> Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
> Sitz Erlangen, Amtsgericht Fuerth HRB 10116
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list