Requesting advice on Jail technique.

sd sd at buc.com.ua
Fri Sep 23 05:27:01 PDT 2005


Hello,

I use different jails for nearly each network service I have to privide: 
httpd, smtp/pop3, squid, log collector.
It's quite difficult to build each particular jail with those programs 
and corresponding libraries which will be needed in it. That is why I 
made the following simple script to make a jail and to add needed 
programs to it (you will have to change the absolute pathes):

#!/bin/sh

docommand() {
LDD=/usr/bin/ldd
MD=/bin/mkdir
TMP=`which $TGT`
DP=`dirname $TMP`
DF=$DSTDIR$DP/`basename $TMP`

TMPSTAT=`stat $TMP | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DP ] && [ ! -f $DF ]
then
cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
     if ( test "$TMPSTAT" != "$DFSTAT" )
     then
     echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
     fi
else
$MD -p $DSTDIR$DP && cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
     if ( test "$TMPSTAT" != "$DFSTAT" )
     then
     echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
     fi
fi

for aa in `ldd $TMP | grep -v ":" | awk '{ print $3 }'`
do
DRNAME=`dirname $aa`
DF1=$DSTDIR$DRNAME/`basename $aa`
AASTAT=`stat $aa | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DRNAME ] && [ ! -f $DF1 ]
then
cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
     if ( test "$AASTAT" != "$DF1STAT" )
     then
     echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
     fi
else
$MD -p $DSTDIR$DRNAME && cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
     if ( test "$AASTAT" != "$DF1STAT" )
     then
     echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
     fi
fi
done
};


echo "where you want base dir to be?"
read DSTDIR
echo $DSTDIR
if ( test "$DSTDIR" = "" )
     then
     DSTDIR=/usr/home
     echo $DSTDIR
#    elseif [ ! -d $DSTDIR ]
#    then
#    mkdir -p $DSTDIR
else
     if [ ! -d $DSTDIR ]
     then
     mkdir -p $DSTDIR
     fi
fi

echo "how do you want to call this jail?"
read JDIR
echo $JDIR
if ( test "$JDIR" != "" ) then DSTDIR=$DSTDIR/$JDIR; fi;
if ( test "$JDIR" = "" )
     then
     JDIR=10.10.10.10
DSTDIR=$DSTDIR/$JDIR
fi
echo $JDIR
if [ ! -d $DSTDIR ]
     then
     mkdir -p $DSTDIR
     echo "DEST: $DSTDIR"
     mkdir $DSTDIR/dev && echo "Please copy devices!!!"
     cp /dev/null $DSTDIR/dev/
     echo 'Write "yes" after'
     read y;
      if ( test "$y" != "yes" ); then exit 0; fi
#	for iiii in fd net kmem log mem null random stderr stdin stdout 
urandom zero
#	do
#	cp /dev/$iiii $DSTDIR/$JDIR/dev/
#	done
     mkdir $DSTDIR/bin
     mkdir $DSTDIR/etc
     mkdir $DSTDIR/lib
     mkdir $DSTDIR/libexec && cp /libexec/ld-elf.so.1 $DSTDIR/libexec/
     mkdir $DSTDIR/home
     mkdir $DSTDIR/proc
     mkdir $DSTDIR/tmp
     mkdir $DSTDIR/usr
     mkdir $DSTDIR/var
     mkdir $DSTDIR/var/run
     cd $DSTDIR && ln -s dev/null ./kernel
     for TGT in sh mail syslogd newsyslog cron
     do
     docommand;
     done
fi
echo "what programs d'you want to copy?"
read TGT
echo $TGT
if ( test "$TGT" = "" )
then
exit 0;
else docommand;
fi
exit 0;


Another one to see the processes in different jails:
IFS='
'
mount -t procfs proc /proc
ii=1
iiiii=5
for i in `ps -ajxfw | grep "J" | grep -v grep`
do
  uid=`echo $i|awk '{ print $1 }'`
  pid=`echo $i|awk '{ print $2 }'`
  pnam=`echo $i|awk '{ print $10 }'`
   if (test $ii -ne 1) then
    iiii=`readlink /proc/$pid/file | awk -F'/' '{ print $4 }'`
    iii=`echo $iiii | awk -F'.' '{ print $4 }'`
echo "ii= $iii"
exit 0;
	if (test "$iii" = "buk") then
	 iiiii=2
	fi
	if (test "$iii" = "198") then
	 iiiii=4
	fi
	if (test "$iii" = "220") then
	 iiiii=5
	fi
	if (test "$iii" = "222") then
	 iiiii=6
	fi
    if ( test "$1" = x) then
    echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\
    `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'`	$uid\
    `lsof -nn -p ${pid} | grep "IPv4" | awk '{ print $8, $9, $12 }'`
    else
#   echo -e "\033[1;1;42m$iiii, $pid:\033[2;0m"\
    echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\
    `cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'`	$uid
    fi
   fi
ii=`expr $ii + 1`
done

umount procfs



> ate: Thu, 22 Sep 2005 17:51:02 -0700
> From: Malachi de ?lfweald <malachid at gmail.com>
> Subject: Re: Requesting advice on Jail technique.
> To: Frank.Mueller at emendis.de
> Cc: Elliot Crosby-McCullough <freebsd at xianshi.org>,
> 	freebsd-questions at freebsd.org
> Message-ID: <c090347a05092217516ce9506d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I am thinking at this point what I am going to try to do is build a jail
> skeleton, then use unionfs to mount on top of that... so in theory, I could
> save a LOT of space while at the same time giving them pretty complete jails
> (one per domain).
>  Malachi
> 
>  On 9/13/05, Frank Mueller - emendis GmbH <Frank.Mueller at emendis.de> wrote:
> 
>>>
>>> Hi there,
>>>
>>> if you have enough system resources I would recommend using seperate
>>> jails for every user.
>>> All u have to keep in mind is that you won't be able to provide some
>>> services (SMTP, POP, IMAP, usw.) more than once for the whole system
>>> because they need a predefined port (25, 110, 443, usw.).
>>> Some other services, like ssh u can manage through port forwarding, http
>>> through virtual hosting, etc.
>>> Separate jails make it much easier to keep track of activities.
>>> It all depends on what applications the user should be able to use.
>>>
>>> Greetz,
>>>
>>> Ice
>>>
>>> Elliot Crosby-McCullough schrieb:
>>
>>>> > Dear all,
>>>> >
>>>> > I will shortly be creating a public service on a private box that
>>>> > will include shell access to untrusted users and would like your opinion
>>>> > on the best way to go about this.
>>>> >
>>>> > Obviously jails are a good start, but my main concern is whether to
>>>> > go for one large jail for all the restricted users or one small jail per
>>>> > user.
>>>> >
>>>> > I do not have a wealth of real IPs at my disposal but accountability
>>>> > and security is paramount, therefore I would like to use local IPs
>>>> > through NAT (within the one box) whilst retaining the translation logs.
>>>> > I would like to use one local IP per user in order to keep track of
>>>> > activity. I can afford a few real IPs for the purpose.
>>>> >
>>>> > The accounts themselves will be supremely limited. No root access,
>>>> > just basics such as ssh, perhaps telnet, mutt etc. I do not want the
>>>> > users to have the ability to run any scripts, so perl etc is out, but I
>>>> > suppose the NAT firewall will be a fallback if any compiled programs are
>>>> > uploaded.
>>>> >
>>>> > Each user account is likely to have email/gpg etc but I'm happy to
>>>> > control that from the host system with virtual users and simply deliver
>>>> > into the jail. It is not necessary for the jails to run any services,
>>>> > except the ability to SSH in.
>>>> >
>>>> > As you can see there are factors pulling in both directions, what
>>>> > would you recommend as the best direction to go?
>>>> >
>>>> > Sincerely,
>>>> > Elliot Crosby-McCullough
>>>> > _______________________________________________
>>>> > freebsd-questions at freebsd.org mailing list
>>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> > To unsubscribe, send any mail to
>>>> > "freebsd-questions-unsubscribe at freebsd.org"
>>
>>>
>>> --
>>> Frank Mueller
>>> eMail: Frank.Mueller at emendis.de
>>> Mobil: +49.177.6858655
>>> Fax: +49.951.3039342
>>>
>>> emendis GmbH
>>> Hofmannstr. 89, 91052 Erlangen, Germany
>>> Fon: +49.9131.817361
>>> Fax: +49.9131.817386
>>>
>>> Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
>>> Sitz Erlangen, Amtsgericht Fuerth HRB 10116
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
> 
> 
> 



More information about the freebsd-questions mailing list