Noob Jail question.

[Indexer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 
> 
> SSH remote login for admin needs (But not for "root" login) Also working 
> well.

Good!

> I think I'd like to run Hiawatha in a Jail, as it seems "the right thing 
> to do" with something that will be exposed to the www.  
> (Comments/advice?)

- From a security standpoint it makes sense, as it confines a malicous user *if* they get in.

> 
> But, how do I arrange it to safely get (read only) access to the website 
> data, without preventing the FTPD service from having access to update 
> that data.  FTPD will only be reachable from LAN side of the main gateway 
> router, Hiawatha will have an outside world port forwarded to it by the 
> router.

You notice the way jails work? they are essentially a fenced off part of your filesystem. So your jail may live in /usr/jails on the host system. You can access all the contents of the jail from the host of course.

An easy answer to this would be something like, have a directory called /var/www and have the FTPD write to that. Then mount /var/www as a nullfs in read only mode to /usr/jails/var/www, and point your webserver (which inside the jail is unaware of some of this) to /var/www (or to the host, the /usr/jails/var/www)


> 
> What I'm asking I guess, is..  Can a jail'd app, reach outside the jail 
> in "read only" mode.   (I suspect, maybe?)   Or can an app outside the 
> jail, drop stuff off inside the jail?  (For whatever reason, I suspect 
> not?)

A jailed app cannot reach "outside" , this defeat the purpose. On the other hand the host can "reach in"

The best way to learn is to try, so setting it up on a dev machine is probably the best way to go. Again, if you need more help, email this list.


Sincerely

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNCVW3AAoJEHF16AnLoz6JXo4P/Rg0+pdhxP8tiKeqSGi6n9dy
hYj4KsnnG1diggB/+VI7tnffJqhm9HTqds9f+VXqx/YkTXNZirTBSbQtqAPz41Z6
FwAr1bAw5aUVQf8Pc80xsk9UMeI9L1wM7/rjRYRab1h6g8SBv2Gf/AZ4oLC3rO4C
PQwigplntB/MIYMBrAsizpBar7f+sPPpftxlYAIl3s3prysja1KTOW4l+NDOPO4U
OUQ2o5x4Gpbt/suhlrx/jjWhSRqyhwblN8DEXkwuIyR6HT9PuUOH05YDB1bg4nSs
OW8N5ZD6VoTkcDP1kayBoD5kEcRQX4eji9LksTnsJoxXb4bers1JyT2wsAYZr5LC
W45UEtvaHjidsP4mpnnaWMeHL7U89YEaUub8PtR3NYs2ky2A3stw2qKDemvQuP1q
QntJVeq8VETig139aKjBcEs04NW/8MkEajKigkDFmUEoHpFfxAsIsIUZO6P0QElQ
whcFTDLiq9IG+J+eeq3/YcykCWLJju1cnL0Nzah91L5GHTi866cR2vafP8aJN1/5
D2EQEoghbstIjgTtTBC5Y+csBDffzAS6MfjsJ0S8TC8fYBRSF5sAqQXAc3x/pNZ6
lw8GNgkAmLrrKMmRpbmnHJbGOs22udzfuqtEKMs+dme+L0xNeCuZSJGbxC2+CXtD
qayfvD4Kqj8yK+vYMBAt
=8A/f
-----END PGP SIGNATURE-----