Requesting advice on Jail technique.
sd
sd at buc.com.ua
Fri Sep 23 05:27:01 PDT 2005
Hello,
I use different jails for nearly each network service I have to privide:
httpd, smtp/pop3, squid, log collector.
It's quite difficult to build each particular jail with those programs
and corresponding libraries which will be needed in it. That is why I
made the following simple script to make a jail and to add needed
programs to it (you will have to change the absolute pathes):
#!/bin/sh
docommand() {
LDD=/usr/bin/ldd
MD=/bin/mkdir
TMP=`which $TGT`
DP=`dirname $TMP`
DF=$DSTDIR$DP/`basename $TMP`
TMPSTAT=`stat $TMP | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DP ] && [ ! -f $DF ]
then
cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
if ( test "$TMPSTAT" != "$DFSTAT" )
then
echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
fi
else
$MD -p $DSTDIR$DP && cp $TMP $DSTDIR$DP
DFSTAT=`stat $DF | awk '{ print $3, $5, $6 }'`
if ( test "$TMPSTAT" != "$DFSTAT" )
then
echo "Warning - $TMP and $DF modes differ" && ls -la $TMP && ls -la $DF
fi
fi
for aa in `ldd $TMP | grep -v ":" | awk '{ print $3 }'`
do
DRNAME=`dirname $aa`
DF1=$DSTDIR$DRNAME/`basename $aa`
AASTAT=`stat $aa | awk '{ print $3, $5, $6 }'`
if [ -d $DSTDIR$DRNAME ] && [ ! -f $DF1 ]
then
cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
if ( test "$AASTAT" != "$DF1STAT" )
then
echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
fi
else
$MD -p $DSTDIR$DRNAME && cp $aa $DSTDIR$DRNAME
DF1STAT=`stat $DF1 | awk '{ print $3, $5, $6 }'`
if ( test "$AASTAT" != "$DF1STAT" )
then
echo "Warning - $aa and $DF1 modes differ" && ls -la $aa && ls -la $DF1
fi
fi
done
};
echo "where you want base dir to be?"
read DSTDIR
echo $DSTDIR
if ( test "$DSTDIR" = "" )
then
DSTDIR=/usr/home
echo $DSTDIR
# elseif [ ! -d $DSTDIR ]
# then
# mkdir -p $DSTDIR
else
if [ ! -d $DSTDIR ]
then
mkdir -p $DSTDIR
fi
fi
echo "how do you want to call this jail?"
read JDIR
echo $JDIR
if ( test "$JDIR" != "" ) then DSTDIR=$DSTDIR/$JDIR; fi;
if ( test "$JDIR" = "" )
then
JDIR=10.10.10.10
DSTDIR=$DSTDIR/$JDIR
fi
echo $JDIR
if [ ! -d $DSTDIR ]
then
mkdir -p $DSTDIR
echo "DEST: $DSTDIR"
mkdir $DSTDIR/dev && echo "Please copy devices!!!"
cp /dev/null $DSTDIR/dev/
echo 'Write "yes" after'
read y;
if ( test "$y" != "yes" ); then exit 0; fi
# for iiii in fd net kmem log mem null random stderr stdin stdout
urandom zero
# do
# cp /dev/$iiii $DSTDIR/$JDIR/dev/
# done
mkdir $DSTDIR/bin
mkdir $DSTDIR/etc
mkdir $DSTDIR/lib
mkdir $DSTDIR/libexec && cp /libexec/ld-elf.so.1 $DSTDIR/libexec/
mkdir $DSTDIR/home
mkdir $DSTDIR/proc
mkdir $DSTDIR/tmp
mkdir $DSTDIR/usr
mkdir $DSTDIR/var
mkdir $DSTDIR/var/run
cd $DSTDIR && ln -s dev/null ./kernel
for TGT in sh mail syslogd newsyslog cron
do
docommand;
done
fi
echo "what programs d'you want to copy?"
read TGT
echo $TGT
if ( test "$TGT" = "" )
then
exit 0;
else docommand;
fi
exit 0;
Another one to see the processes in different jails:
IFS='
'
mount -t procfs proc /proc
ii=1
iiiii=5
for i in `ps -ajxfw | grep "J" | grep -v grep`
do
uid=`echo $i|awk '{ print $1 }'`
pid=`echo $i|awk '{ print $2 }'`
pnam=`echo $i|awk '{ print $10 }'`
if (test $ii -ne 1) then
iiii=`readlink /proc/$pid/file | awk -F'/' '{ print $4 }'`
iii=`echo $iiii | awk -F'.' '{ print $4 }'`
echo "ii= $iii"
exit 0;
if (test "$iii" = "buk") then
iiiii=2
fi
if (test "$iii" = "198") then
iiiii=4
fi
if (test "$iii" = "220") then
iiiii=5
fi
if (test "$iii" = "222") then
iiiii=6
fi
if ( test "$1" = x) then
echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\
`cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid\
`lsof -nn -p ${pid} | grep "IPv4" | awk '{ print $8, $9, $12 }'`
else
# echo -e "\033[1;1;42m$iiii, $pid:\033[2;0m"\
echo -e "\033[1;1;4${iiiii}m${iiii}, ${pid}:\033[2;0m"\
`cat /proc/$pid/status | awk '{ printf $1"\t"$15 }'` $uid
fi
fi
ii=`expr $ii + 1`
done
umount procfs
> ate: Thu, 22 Sep 2005 17:51:02 -0700
> From: Malachi de ?lfweald <malachid at gmail.com>
> Subject: Re: Requesting advice on Jail technique.
> To: Frank.Mueller at emendis.de
> Cc: Elliot Crosby-McCullough <freebsd at xianshi.org>,
> freebsd-questions at freebsd.org
> Message-ID: <c090347a05092217516ce9506d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I am thinking at this point what I am going to try to do is build a jail
> skeleton, then use unionfs to mount on top of that... so in theory, I could
> save a LOT of space while at the same time giving them pretty complete jails
> (one per domain).
> Malachi
>
> On 9/13/05, Frank Mueller - emendis GmbH <Frank.Mueller at emendis.de> wrote:
>
>>>
>>> Hi there,
>>>
>>> if you have enough system resources I would recommend using seperate
>>> jails for every user.
>>> All u have to keep in mind is that you won't be able to provide some
>>> services (SMTP, POP, IMAP, usw.) more than once for the whole system
>>> because they need a predefined port (25, 110, 443, usw.).
>>> Some other services, like ssh u can manage through port forwarding, http
>>> through virtual hosting, etc.
>>> Separate jails make it much easier to keep track of activities.
>>> It all depends on what applications the user should be able to use.
>>>
>>> Greetz,
>>>
>>> Ice
>>>
>>> Elliot Crosby-McCullough schrieb:
>>
>>>> > Dear all,
>>>> >
>>>> > I will shortly be creating a public service on a private box that
>>>> > will include shell access to untrusted users and would like your opinion
>>>> > on the best way to go about this.
>>>> >
>>>> > Obviously jails are a good start, but my main concern is whether to
>>>> > go for one large jail for all the restricted users or one small jail per
>>>> > user.
>>>> >
>>>> > I do not have a wealth of real IPs at my disposal but accountability
>>>> > and security is paramount, therefore I would like to use local IPs
>>>> > through NAT (within the one box) whilst retaining the translation logs.
>>>> > I would like to use one local IP per user in order to keep track of
>>>> > activity. I can afford a few real IPs for the purpose.
>>>> >
>>>> > The accounts themselves will be supremely limited. No root access,
>>>> > just basics such as ssh, perhaps telnet, mutt etc. I do not want the
>>>> > users to have the ability to run any scripts, so perl etc is out, but I
>>>> > suppose the NAT firewall will be a fallback if any compiled programs are
>>>> > uploaded.
>>>> >
>>>> > Each user account is likely to have email/gpg etc but I'm happy to
>>>> > control that from the host system with virtual users and simply deliver
>>>> > into the jail. It is not necessary for the jails to run any services,
>>>> > except the ability to SSH in.
>>>> >
>>>> > As you can see there are factors pulling in both directions, what
>>>> > would you recommend as the best direction to go?
>>>> >
>>>> > Sincerely,
>>>> > Elliot Crosby-McCullough
>>>> > _______________________________________________
>>>> > freebsd-questions at freebsd.org mailing list
>>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> > To unsubscribe, send any mail to
>>>> > "freebsd-questions-unsubscribe at freebsd.org"
>>
>>>
>>> --
>>> Frank Mueller
>>> eMail: Frank.Mueller at emendis.de
>>> Mobil: +49.177.6858655
>>> Fax: +49.951.3039342
>>>
>>> emendis GmbH
>>> Hofmannstr. 89, 91052 Erlangen, Germany
>>> Fon: +49.9131.817361
>>> Fax: +49.9131.817386
>>>
>>> Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
>>> Sitz Erlangen, Amtsgericht Fuerth HRB 10116
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
>
>
>
More information about the freebsd-questions
mailing list