On Sep 22, 2005, at 6:51 PM, Malachi de Ælfweald wrote:
I am thinking at this point what I am going to try to do is build a
jail
skeleton, then use unionfs to mount on top of that... so in theory,
I could
save a LOT of space while at the same time giving them pretty
complete jails
(one per domain).
Malachi
What I did was set up a master jail (that is never actually booted)
and use nullfs to mount pieces of that inside each separate jail
(mostly read only as well, which provides some security as well as
hacked jails cannot have their system executables changed since they
reside in a read only space). I did not use unionfs. I have one
submaster jail which has a writable /usr with a nullfs mounty (was
using localhost nfs before that) so I can install new stuff inside of
that.
Here is an example
/dev/md1910 on /local/jails/intentcenter (ufs, local, synchronous,
soft-updates)
/local/jails/master/bin on /local/jails/intentcenter/bin (nullfs,
local, read-only)
/local/jails/master/lib on /local/jails/intentcenter/lib (nullfs,
local, read-only)
/local/jails/master/libexec on /local/jails/intentcenter/libexec
(nullfs, local, read-only)
/local/jails/master/sbin on /local/jails/intentcenter/sbin (nullfs,
local, read-only)
/local/jails/master/usr on /local/jails/intentcenter/usr (nullfs,
local, read-only)
procfs on /local/jails/intentcenter/proc (procfs, local)
devfs on /local/jails/intentcenter/dev (devfs, local)
(continued below)
On 9/13/05, Frank Mueller - emendis GmbH
<[EMAIL PROTECTED]> wrote:
Hi there,
if you have enough system resources I would recommend using seperate
jails for every user.
All u have to keep in mind is that you won't be able to provide some
services (SMTP, POP, IMAP, usw.) more than once for the whole system
because they need a predefined port (25, 110, 443, usw.).
Sure you can. Each separate IP, and each jail has its own IP, has
its own set of ports. I run a single server with 40 jails and they
have their own imap, smtp, etc in each (as required --- most don't as
it is not required but it works fine) without any port forwarding or
any funny games.
Some other services, like ssh u can manage through port
forwarding, http
through virtual hosting, etc.
see above -- all my jails (almost) all have their own apache running
inside)
Separate jails make it much easier to keep track of activities.
yes
Chad
It all depends on what applications the user should be able to use.
Greetz,
Ice
Elliot Crosby-McCullough schrieb:
Dear all,
I will shortly be creating a public service on a private box that
will include shell access to untrusted users and would like your
opinion
on the best way to go about this.
Obviously jails are a good start, but my main concern is whether to
go for one large jail for all the restricted users or one small
jail per
user.
I do not have a wealth of real IPs at my disposal but accountability
and security is paramount, therefore I would like to use local IPs
through NAT (within the one box) whilst retaining the translation
logs.
I would like to use one local IP per user in order to keep track of
activity. I can afford a few real IPs for the purpose.
The accounts themselves will be supremely limited. No root access,
just basics such as ssh, perhaps telnet, mutt etc. I do not want the
users to have the ability to run any scripts, so perl etc is out,
but I
suppose the NAT firewall will be a fallback if any compiled
programs are
uploaded.
Each user account is likely to have email/gpg etc but I'm happy to
control that from the host system with virtual users and simply
deliver
into the jail. It is not necessary for the jails to run any
services,
except the ability to SSH in.
As you can see there are factors pulling in both directions, what
would you recommend as the best direction to go?
Sincerely,
Elliot Crosby-McCullough
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
--
Frank Mueller
eMail: [EMAIL PROTECTED]
Mobil: +49.177.6858655
Fax: +49.951.3039342
emendis GmbH
Hofmannstr. 89, 91052 Erlangen, Germany
Fon: +49.9131.817361
Fax: +49.9131.817386
Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
Sitz Erlangen, Amtsgericht Fuerth HRB 10116
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-
[EMAIL PROTECTED]"
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
[EMAIL PROTECTED]
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
