FreeBSD jail
Sissejuhatus
The FreeBSD jail mechanism is an early implementation of operating system-level virtualization that allows administrators to partition a FreeBSD-based computer system into several independent mini-systems called jails.
FreeBSD jails mainly aim at three goals :
Virtualization : Each jail is a virtual environment running on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is (almost) indistinguishable from a real system.
Security : Each jail is sealed from the others thus providing an additional level of security.
Ease of delegation : Thanks to the limited scope of a jail, it allows administrators to painlessly delegate several tasks which require superuser access without handing out complete control over the system.
Those familiar with Unix will recognize the chroot jail method of restricting the scope of processes. The FreeBSD jail mechanism is more than that: each process is attached a specific kernel structure whose purpose is to limit its interaction with processes running in other jails and restrict the things they can do (for instance a jail is bound to only one IP address and cannot access raw, divert or routing sockets).
Minu arvuti ip on 172.17.0.183, jaili ip hakkab olema 172.17.0.184 ning jaili enda asukoht /usr/jail/jail1.
Jaili loomine
jail kiirelt ja mustalt
Esimesena kompileerime kokku süsteemi source ...eeldusel ,et see on olemas
cd /usr/src && make buildworld
nüüd loome väikese skripti, mis meisterdab meile soovitud kohta jaili valmis. jaili asukoht määratakse süsteemis muutuja D abil
#!/bin/sh D=/usr/jail/jail1 cd /usr/src mkdir -p $D make installworld DESTDIR=$D cd /usr/src/etc make distribution DESTDIR=$D mount_devfs devfs $D/dev cd $D ln -sf dev/null kernel
Jaili baasmasina seadistus
vajalik arvuti /etc/rc.conf lisada
# ip aadressid jailile ja masinale ifconfig_fxp0="inet 172.17.0.183 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 172.17.0.184 netmask 0xFFFFFFFF" # inetd kuulama vaid lokaalset soketid. Parem kui inetd üldse ei töötaks inetd_flags="-wW -a 172.17.0.183" # syslog kuulama lokaalset socketit syslogd_flags="-ss" # rpcbind võib põhjustada konflikte jailiga rpcbind_enable="NO" # loodava jaili spetsiifilised parameetrid jail_enable="YES" jail_list="test" jail_test_hostname="yhikas" jail_test_ip="172.17.0.184" jail_test_rootdir="/usr/jail/jail1" jail_test_exec="/bin/sh /etc/rc" jail_test_procfs_enable="Yes"
masina /etc/ssh/sshd_config muudame selliselt
ListenAddress 172.17.0.183 UseDNS no
Jaili konf
Liigume kausta /usr/jail/jail1
jaili /etc/rc.conf
rpcbind_enable="NO" network_interfaces="" hostname="yhikas" sshd_enable="YES" sendmail_enable="NO" syslogd_flags="-ss" inetd_flags="-wW -a 172.17.0.184"
Jaili /etc/ssh/sshd_config muudame selliselt
ListenAddress 172.17.0.184 UseDNS no
Jaili tyhi /etc/fstab
touch /usr/jail/jail1/etc/fstab
Jaili /etc/resolv.conf kirjutame enda nimeserveri, mida kasutame, mina kirjutasin sinna kadri.ut.ee
ln -s /var/run/log /usr/jail/jail1/dev/log
paneme jaili käima
jail /usr/jail/jail1 test 172.17.0.184 /bin/sh
nüüd võib luua userid seada root kasutaja parooli jms tegevused
