LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 2376|回复: 0

Making a Jailed Environment in FBSD[zz]

[复制链接]
发表于 2003-10-11 12:54:15 | 显示全部楼层 |阅读模式
chrooted jails are great for increasing the security of programs running on your box, and FreeBSD makes it very easy to setup your own environment.

A couple things to note, each jail must have its own ip address, so you may want to throw in another nic if needed. Also, if your system has daemons that bind to all available ips on your box, it will prevent the jail from starting. You can use the sockstat(1) cmd to see what daemons are listening. You may have to reconfigure these to listen on one IP only if this is the case.

Kernel Options:
The jail needs 3 different sysctls, and in most cases these can be set to 0 safely, and will save some headaches in the future and help make it more secure.

jail.set_hostname_allowed
jail.socket_unixiproute_only
jail.sysvipc_allowed



Next, we have to download the src tree from fbsd.
You may also want your jail to be on its own partition for added security.
So, heres the steps needed to setup a chroot jail on a partition mounted under /jailed


# make world DESTDIR=/jailed
# make installworld DESTDIR=/jailed


Now we gotta setup /etc correctly in the jail.

# cd /usr/src/etc
# make distribution DESTDIR=/jailed NO_MAKEDEV_RUN=yes


And then setup /dev in it:

# cd /jailed/dev
# sh MAKEDEV jail


Note: many programs try to find your kernel in /kernel, so its good to make a fake one in your jail.

# cd /jailed
# ln -sf dev/null kernel


Now its time to setup an IP for the jail.

# ifconfig xl0 alias 192.168.1.199

and you can also add that to /etc/rc.conf to automatically setup on boot.
ifconfig_xl0_alias0="192.168.1.199"

Now we setup a procfs in the jail and are ready to go.

# mount -t procfs proc /jailed/proc

You can start the jail with the jail( cmd.

# jail <path to jail> <jail hostname> <jail ip> <command>
#jail /jailed myjailedhost 192.168.1.199 /bin/bash



Now the following must be done from within the jail:
create a /jailed/etc/rc.conf and add the following

portmap_enable="NO"
network_interfaces=""
sshd_enable="YES"

#touch /etc/fstab


If your running sendmail, do the following:

#newaliases

set your root pass for the jail

# passwd

Now everything is set and ready to go... Once you exit this shell, the jail will be gone, so we can do the following to keep it up forever...

Run the virtual machines /etc/rc script from within the jail by hand, or can have it start at boot by adding it to the end of your /usr/local/etc/rc.d/jail.sh script.


Killing your jail:

# /bin/sh /usr/local/etc/rc.d/jail.sh stop
# /bin/sh /etc/rc.shutdown
# kill -15 -1 (dont do this on a non jailed server =P)
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表