Noob Jail question.
indexer at internode.on.net
Wed Dec 15 23:56:45 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
> SSH remote login for admin needs (But not for "root" login) Also working
> I think I'd like to run Hiawatha in a Jail, as it seems "the right thing
> to do" with something that will be exposed to the www.
- From a security standpoint it makes sense, as it confines a malicous user *if* they get in.
> But, how do I arrange it to safely get (read only) access to the website
> data, without preventing the FTPD service from having access to update
> that data. FTPD will only be reachable from LAN side of the main gateway
> router, Hiawatha will have an outside world port forwarded to it by the
You notice the way jails work? they are essentially a fenced off part of your filesystem. So your jail may live in /usr/jails on the host system. You can access all the contents of the jail from the host of course.
An easy answer to this would be something like, have a directory called /var/www and have the FTPD write to that. Then mount /var/www as a nullfs in read only mode to /usr/jails/var/www, and point your webserver (which inside the jail is unaware of some of this) to /var/www (or to the host, the /usr/jails/var/www)
> What I'm asking I guess, is.. Can a jail'd app, reach outside the jail
> in "read only" mode. (I suspect, maybe?) Or can an app outside the
> jail, drop stuff off inside the jail? (For whatever reason, I suspect
A jailed app cannot reach "outside" , this defeat the purpose. On the other hand the host can "reach in"
The best way to learn is to try, so setting it up on a dev machine is probably the best way to go. Again, if you need more help, email this list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
-----END PGP SIGNATURE-----
More information about the freebsd-questions