Noob Jail question.
Indexer
indexer at internode.on.net
Wed Dec 15 23:56:45 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>
>
> SSH remote login for admin needs (But not for "root" login) Also working
> well.
Good!
> I think I'd like to run Hiawatha in a Jail, as it seems "the right thing
> to do" with something that will be exposed to the www.
> (Comments/advice?)
- From a security standpoint it makes sense, as it confines a malicous user *if* they get in.
>
> But, how do I arrange it to safely get (read only) access to the website
> data, without preventing the FTPD service from having access to update
> that data. FTPD will only be reachable from LAN side of the main gateway
> router, Hiawatha will have an outside world port forwarded to it by the
> router.
You notice the way jails work? they are essentially a fenced off part of your filesystem. So your jail may live in /usr/jails on the host system. You can access all the contents of the jail from the host of course.
An easy answer to this would be something like, have a directory called /var/www and have the FTPD write to that. Then mount /var/www as a nullfs in read only mode to /usr/jails/var/www, and point your webserver (which inside the jail is unaware of some of this) to /var/www (or to the host, the /usr/jails/var/www)
>
> What I'm asking I guess, is.. Can a jail'd app, reach outside the jail
> in "read only" mode. (I suspect, maybe?) Or can an app outside the
> jail, drop stuff off inside the jail? (For whatever reason, I suspect
> not?)
A jailed app cannot reach "outside" , this defeat the purpose. On the other hand the host can "reach in"
The best way to learn is to try, so setting it up on a dev machine is probably the best way to go. Again, if you need more help, email this list.
Sincerely
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQIcBAEBAgAGBQJNCVW3AAoJEHF16AnLoz6JXo4P/Rg0+pdhxP8tiKeqSGi6n9dy
hYj4KsnnG1diggB/+VI7tnffJqhm9HTqds9f+VXqx/YkTXNZirTBSbQtqAPz41Z6
FwAr1bAw5aUVQf8Pc80xsk9UMeI9L1wM7/rjRYRab1h6g8SBv2Gf/AZ4oLC3rO4C
PQwigplntB/MIYMBrAsizpBar7f+sPPpftxlYAIl3s3prysja1KTOW4l+NDOPO4U
OUQ2o5x4Gpbt/suhlrx/jjWhSRqyhwblN8DEXkwuIyR6HT9PuUOH05YDB1bg4nSs
OW8N5ZD6VoTkcDP1kayBoD5kEcRQX4eji9LksTnsJoxXb4bers1JyT2wsAYZr5LC
W45UEtvaHjidsP4mpnnaWMeHL7U89YEaUub8PtR3NYs2ky2A3stw2qKDemvQuP1q
QntJVeq8VETig139aKjBcEs04NW/8MkEajKigkDFmUEoHpFfxAsIsIUZO6P0QElQ
whcFTDLiq9IG+J+eeq3/YcykCWLJju1cnL0Nzah91L5GHTi866cR2vafP8aJN1/5
D2EQEoghbstIjgTtTBC5Y+csBDffzAS6MfjsJ0S8TC8fYBRSF5sAqQXAc3x/pNZ6
lw8GNgkAmLrrKMmRpbmnHJbGOs22udzfuqtEKMs+dme+L0xNeCuZSJGbxC2+CXtD
qayfvD4Kqj8yK+vYMBAt
=8A/f
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list