PDA

View Full Version : Making a Jailed Environment in FBSD


bsdjunkie
March 8th, 2003, 22:05
chrooted jails are great for increasing the security of programs running on your box, and FreeBSD makes it very easy to setup your own environment.

A couple things to note, each jail must have its own ip address, so you may want to throw in another nic if needed. Also, if your system has daemons that bind to all available ips on your box, it will prevent the jail from starting. You can use the sockstat(1) cmd to see what daemons are listening. You may have to reconfigure these to listen on one IP only if this is the case.

Kernel Options:
The jail needs 3 different sysctls, and in most cases these can be set to 0 safely, and will save some headaches in the future and help make it more secure.

jail.set_hostname_allowed
jail.socket_unixiproute_only
jail.sysvipc_allowed


Next, we have to download the src tree from fbsd.
You may also want your jail to be on its own partition for added security.
So, heres the steps needed to setup a chroot jail on a partition mounted under /jailed


# make world DESTDIR=/jailed
# make installworld DESTDIR=/jailed

Now we gotta setup /etc correctly in the jail.

# cd /usr/src/etc
# make distribution DESTDIR=/jailed NO_MAKEDEV_RUN=yes

And then setup /dev in it:

# cd /jailed/dev
# sh MAKEDEV jail

Note: many programs try to find your kernel in /kernel, so its good to make a fake one in your jail.

# cd /jailed
# ln -sf dev/null kernel

Now its time to setup an IP for the jail.

# ifconfig xl0 alias 192.168.1.199

and you can also add that to /etc/rc.conf to automatically setup on boot.
ifconfig_xl0_alias0="192.168.1.199"

Now we setup a procfs in the jail and are ready to go.

# mount -t procfs proc /jailed/proc

You can start the jail with the jail(8) cmd.

# jail <path to jail> <jail hostname> <jail ip> <command>
#jail /jailed myjailedhost 192.168.1.199 /bin/bash


Now the following must be done from within the jail:
create a /jailed/etc/rc.conf and add the following

portmap_enable="NO"
network_interfaces=""
sshd_enable="YES"

#touch /etc/fstab

If your running sendmail, do the following:

#newaliases

set your root pass for the jail

# passwd

Now everything is set and ready to go... Once you exit this shell, the jail will be gone, so we can do the following to keep it up forever...

Run the virtual machines /etc/rc script from within the jail by hand, or can have it start at boot by adding it to the end of your /usr/local/etc/rc.d/jail.sh script.


Killing your jail:

# /bin/sh /usr/local/etc/rc.d/jail.sh stop
# /bin/sh /etc/rc.shutdown
# kill -15 -1 (dont do this on a non jailed server =P)



:roll:

soup4you2
September 7th, 2003, 21:02
ok a question here....

in FreeBSD 4.X you have a MAKEDEV command to create your jail device..


how does one do this under the 5.X branch since there is no longer a MAKEDEV command?

Kernel_Killer
September 7th, 2003, 22:02
I've been hearing about jails ever since I first heard of BSD. What I can't seem to comprehend is the reason for using them. Can someone elaborate?

Loop
September 7th, 2003, 23:15
I've been hearing about jails ever since I first heard of BSD. What I can't seem to comprehend is the reason for using them. Can someone elaborate?

From the Architecture Handbook:

Jail chroots an environment and sets certain restrictions on processes which are forked from within. For example, a jailed process cannot affect processes outside of the jail, utilize certain system calls, or inflict any damage on the main computer.

So it's kinda chroot + more :)

man jail(2) has a lot more background as well

v902
September 7th, 2003, 23:51
I'm assuming KK is talking about chroot jails not what Loop was talking about, I may be wrong, if so just slap me ;)

Bassicly what you do is force an application like Apache or ProFTPD into thinking /JAIL/ is actually /. This makes it hard for an attacker to move around because you are stuck in this jail, it is possible to get out of it, look in OBSD security, frisco put up some links to some talk on escaping jails... It is possible to get out, but it's another level of security, if you don't need any shells, don't put any, don't need a C compiler? Don't put 'em. See an attacker move around with no shell :)