“This article shows how I created a jail under FreeBSD 5. Though FreeBSD 6.0 has come out since I wrote this article, the strategy should remain the same. I’ll update the article with any changes should anything be different.”
“This article shows how I created a jail under FreeBSD 5. Though FreeBSD 6.0 has come out since I wrote this article, the strategy should remain the same. I’ll update the article with any changes should anything be different.”
Should someone find an exploit in Apache and use it to compromise your system, the intruders can only do what the jail allows them to do
I like that
It’s always nice to read something about jails. But you can tell that the author of this article used to work with jails under FreeBSD 4, without exploring many of the newer options available in 5 and 6 🙂
FreeBSD 5/6 make jails even easier 😉 like we don’t need jailtools anymore to have rc-scripts, we can just put some configuration in /etc/rc.conf and the jails are started/shutdown and devfs’-mounted when required (also manually with /etc/rc.d/jail).
Also, the jls and jexec tools I find very handy miss in the article. With them you can easily see what jails are running, and start processes inside them. That way you don’t even require sshd running inside a jail depending on the use.
Jailaudit is worth mentioning too: you can monitor your ports for vulernabilities (using portaudit) from the base system.
mount_nullfs is interesting, but wasn’t very stable before FreeBSD 6: you can remount a ports-tree from another jail with nullfs on another part of the filesystem so that these files are not redundant in each jail.
BTW: It was an eye-opener to me (not based on this article, but jail-related) that you can run multiple-jails with the same ip-address, even re-use the ip-address of the “base”-system. That way you can keep your base system very clean (which you should do, I suppose, I wonder why the author was running postfix there for instance ;-)) and have your httpd running inside a jail for instance, and your mail server or sshd in another (with the same or different userland).
Downsides regardings jails are (for me) maintenance (if you upgrade a base you -need- to upgrade the userland in a jail too because of the changed kernel, takes more work), and you can only have one IPv4 address and no IPv6 addresses.
I’m shocked that Dan doesn’t know about all the new stuff to handle configuring/starting/stopping jails that’s in 6.x (and I’m guessing 5.x as well, but who runs that anyhow?).
In short, you can just add something like this to /etc/rc.conf on the host after populating your jail and testing it:
# jail stuff – general
jail_enable=”YES”
jail_list=”jail1 jail2 pkgjail”
jail_socket_unixiproute_only=”YES”
jail_sysvipc_allow=”NO”
# jail stuff – per jail settings
# jail 1 – shell
jail_jail1_rootdir=”/jails/jail1″
jail_jail1_hostname=”jail1.foo.net”
jail_jail1_ip=”216.x.x.x”
jail_jail1_exec_start=”/bin/sh /etc/rc”
jail_jail1_exec_stop=”/bin/sh /etc/rc.shutdown”
jail_jail1_devfs_enable=”YES”
jail_jail1_fdescfs_enable=”NO”
jail_jail1_procfs_enable=”NO”
jail_jail1_mount_enable=”NO”
jail_jail1_devfs_ruleset=”devfsrules_jail”
# continue with jail2, jail3, etc.