freebsd jail: web and database server config questions

Tue Oct 13 15:37:32 UTC 2009

2009/10/13 Dino Vliet <dino_vliet at yahoo.com>

>
> Dear Freebsd people,
>
> To consolditae on resources I have configured a machine to run both a web
> and database server (powering my database driven website).
>
> Due to security concerns I'm contemplating on introducing a jailed
> environment on this machine and want to know if this would be feasible. I
> have a few questions for the freebsd community regarding this approach and
> hope someone would give me some advice.
>
> Is it advisable/wise/okay/clever to run a webserver on my host system and a
> database server on my jailed system? The webserver will need to connect to
> the database system on startup and update the database based on client
> access.
>
> However, if a machine gets compromised, it would rather be the webserver,
> therefore running the webserver in the jailed environment seems better to
> me. But how could that be done, if the webserver requires to connect through
> tcp/ip to the database server running on the host system? I thought that a
> key-feature of a jailed system is that it can't access resources outside the
> jail.
>
> And how do I go around when I need to update my host system due to a
> security advisory. I heard the jailed environment will not be affected? So
> basically that means I would need to create a new jail everytime I recompile
> (as that's the way I'm using to stay current)
>
> Hope to hear from you,
> Brgds
> Dino
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

ok jail updates are fairly easy to get around. The way I have dont it for
years is to nullfs the host systems /usr into the jail(s) as ro. I also had
a copy of /lib /bin /libexec and /sbin under /usr/jailbins. The said dirs in
the jails were then sym links to the relevent dir in jailbins eg

$ ls -ltr ; pwd
drwxr-xr-x  20 root  wheel  107 Jun 25  2008 etc
drwxr-xr-x   2 root  wheel   46 Sep 23 10:21 bin
drwxr-xr-x   3 root  wheel  106 Sep 23 10:21 lib
drwxr-xr-x   2 root  wheel  139 Sep 23 10:22 sbin
drwxr-xr-x   2 root  wheel    6 Sep 23 10:23 libexec
/usr/jailbins

$ ls -ltr /jails/clamav/root/ | grep "\->"
lrwxrwxrwx   1 root  wheel    11 Apr  1  2006 sys -> usr/src/sys
lrwxrwxrwx   1 root  wheel    18 Apr  1  2006 sbin -> /usr/jailbins/sbin
lrwxrwxrwx   1 root  wheel    21 Apr  1  2006 libexec ->
/usr/jailbins/libexec
lrwxrwxrwx   1 root  wheel    17 Apr  1  2006 lib -> /usr/jailbins/lib
lrwxrwxrwx   1 root  wheel    17 Apr  1  2006 bin -> /usr/jailbins/bin

from fstab

/usr                            /jails/clamav/root/usr
nullfs  ro     2       0
/jails/clamav/usr.etc           /jails/clamav/root/usr/local/etc
nullfs  ro     2       0

the 2nd line means each jail can have its own dedicated local rc, but it
cant be modified from within the jail

I then stuck these lines in rc.local on the host system to keep the jailbins
update

/usr/local/bin/rsync -aH /bin/ /usr/jailbins/bin/
/usr/local/bin/rsync -aH /sbin/ /usr/jailbins/sbin/
/usr/local/bin/rsync -aH /lib/ /usr/jailbins/lib/
/usr/local/bin/rsync -aH /libexec/ /usr/jailbins/libexec/

now when i do a makeworld on the host system the jails inherit everything.
You might not always want to do this, but i never had any serious issues.

Sticking mysql and apache in jails is fairly straight forward after that,
just get them to communicate over ip and make sure you wrap the db
internally, and with tcpwrappers and pf/ipf/ipfw

You could also look at mod_jail for apache. It looks like it lets you run
apache whithout the hassle of setting up a full jailed environment. I havent
used it myself though but would be interested to see how others have faired
with it.

There are also good tools like ezjail with will automate a lot of the jail
process for you.