mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
375 lines
13 KiB
Groff
375 lines
13 KiB
Groff
.\"
|
|
.\"Copyright (c) 2000 Robert N. M. Watson
|
|
.\"All rights reserved.
|
|
.\"
|
|
.\"Redistribution and use in source and binary forms, with or without
|
|
.\"modification, are permitted provided that the following conditions
|
|
.\"are met:
|
|
.\"1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\"2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\"THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\"ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\"IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\"ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\"FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\"DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\"OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\"HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\"LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\"OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\"SUCH DAMAGE.
|
|
.\"
|
|
.\"
|
|
.\"----------------------------------------------------------------------------
|
|
.\""THE BEER-WARE LICENSE" (Revision 42):
|
|
.\"<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
|
|
.\"can do whatever you want with this stuff. If we meet some day, and you think
|
|
.\"this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
|
|
.\"----------------------------------------------------------------------------
|
|
.\"
|
|
.\"$FreeBSD$
|
|
.\"
|
|
.Dd April 28, 1999
|
|
.Dt JAIL 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm jail
|
|
.Nd imprison process and its descendants
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Ar path
|
|
.Ar hostname
|
|
.Ar ip-number
|
|
.Ar command
|
|
.Ar ...
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
command imprisons a process and all future descendants.
|
|
.Pp
|
|
Please see the
|
|
.Xr jail 2
|
|
man page for further details.
|
|
.Sh EXAMPLES
|
|
.Ss Setting up a Jail Directory Tree
|
|
This shows how to setup a jail directory tree:
|
|
.Bd -literal
|
|
D=/here/is/the/jail
|
|
cd /usr/src
|
|
make world DESTDIR=$D
|
|
cd etc
|
|
make distribution DESTDIR=$D NO_MAKEDEV_RUN=yes
|
|
cd $D/dev
|
|
sh MAKEDEV jail
|
|
cd $D
|
|
ln -sf dev/null kernel
|
|
.Ed
|
|
.Ss Setting Up a Jail
|
|
Do what was described in
|
|
.Sx Setting Up a Jail Directory Tree
|
|
to build the jail directory tree. For the sake of this example, we will
|
|
assume you built it in
|
|
.Pa /data/jail/192.168.11.100 ,
|
|
named for the jailed IP address. Substitute below as needed with your
|
|
own directory, IP address, and hostname.
|
|
.Pp
|
|
First, you will want to set up your real system's environment to be
|
|
.Dq jail-friendly .
|
|
For consistency, we will refer to the parent box as the
|
|
.Dq host environment ,
|
|
and to the jailed virtual machine as the
|
|
.Dq jail environment .
|
|
Because jail is implemented using IP aliases, one of the first things to do
|
|
is to disable IP services on the host system that listen on all local
|
|
IP addresses for a service. This means changing
|
|
.Xr inetd 8
|
|
to only listen on the
|
|
appropriate IP address, and so forth. Add the following to
|
|
.Pa /etc/rc.conf
|
|
in the host environment:
|
|
.Bd -literal -offset indent
|
|
sendmail_enable="NO"
|
|
inetd_flags="-wW -a 192.168.11.23"
|
|
portmap_enable="NO"
|
|
syslogd_flags="-ss"
|
|
.Ed
|
|
.Pp
|
|
.Li 192.169.11.23
|
|
is the native IP address for the host system, in this example. Daemons that
|
|
run out of
|
|
.Xr inetd 8
|
|
can be easily set to use only the specified host IP address. Other daemons
|
|
will need to be manually configured--for some this is possible through
|
|
the
|
|
.Xr rc.conf 5
|
|
flags entries, for others it is not possible without munging
|
|
the per-application configuration files, or even recompiling. For those
|
|
applications that cannot specify the IP they run on, it is better to disable
|
|
them, if possible.
|
|
.Pp
|
|
A number of daemons ship with the base system that may have problems when
|
|
run from outside of a jail in a jail-centric environment. This includes
|
|
.Xr syslogd 8 ,
|
|
.Xr sendmail 8 ,
|
|
.Xr named 8 ,
|
|
and
|
|
.Xr rpcbind 8 .
|
|
While sendmail and named can be configured to listen only on a specific
|
|
IP using their configuration files, in most cases it is easier to simply
|
|
run the daemons in jails only, and not in the host environment. Syslogd
|
|
cannot be configured to bind only a single IP, but can be configured to
|
|
not bind a network port, using the ``-ss'' argument. Attempting to serve
|
|
NFS from the host environment may also cause confusion, and cannot be
|
|
easily reconfigured to use only specific IPs, as some NFS services are
|
|
hosted directly from the kernel. Any third party network software running
|
|
in the host environment should also be checked and configured so that it
|
|
does not bind all IP addresses, which would result in those services also
|
|
appearing to be offered by the jail environments.
|
|
.Pp
|
|
Once
|
|
these daemons have been disabled or fixed in the host environment, it is
|
|
best to reboot so that all daemons are in a known state, to reduce the
|
|
potential for confusion later (such as finding that when you send mail
|
|
to a jail, and its sendmail is down, the mail is delivered to the host,
|
|
etc.)
|
|
.Pp
|
|
Start any jails for the first time without configuring the network
|
|
interface so that you can clean it up a little and set up accounts. As
|
|
with any machine (virtual or not) you will need to set a root password, time
|
|
zone, etc. Before beginning, you may want to copy
|
|
.Xr sysinstall 8
|
|
into the tree so that you can use it to set things up easily. Do this using:
|
|
.Bd -literal -offset indent
|
|
# mkdir /data/jail/192.168.11.100/stand
|
|
# cp /stand/sysinstall /data/jail/192.168.11.100/stand
|
|
.Ed
|
|
.Pp
|
|
Now start the jail:
|
|
.Bd -literal -offset indent
|
|
# jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh
|
|
.Ed
|
|
.Pp
|
|
You will end up with a shell prompt, assuming no errors, within the jail. You
|
|
can now run
|
|
.Pa /stand/sysinstall
|
|
and do the post-install configuration to set various configuration options,
|
|
or perform these actions manually by editing rc.conf, etc.
|
|
.Pp
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
Create an empty /etc/fstab to quell startup warnings about missing fstab
|
|
.It
|
|
Disable the port mapper (rc.conf: portmap_enable="NO")
|
|
.It
|
|
Run
|
|
.Xr newaliases 1
|
|
to quell sendmail warnings.
|
|
.It
|
|
Disable interface configuration to quell startup warnings about ifconfig
|
|
(network_interfaces="")
|
|
.It
|
|
Configure /etc/resolv.conf
|
|
so that name resolution within the jail will work correctly
|
|
.It
|
|
Set a root password, probably different from the real host system
|
|
.It
|
|
Set the timezone
|
|
.It
|
|
Add accounts for users in the jail environment
|
|
.It
|
|
Install any packages that you think the environment requires
|
|
.El
|
|
.Pp
|
|
You may also want to perform any package-specific configuration (web servers,
|
|
SSH servers, etc), patch up /etc/syslog.conf so it logs as you'd like, etc.
|
|
.Pp
|
|
Exit from the shell, and the jail will be shut down.
|
|
.Ss Starting the Jail
|
|
You are now ready to restart the jail and bring up the environment with
|
|
all of its daemons and other programs. To do this, first bring up the
|
|
virtual host interface, and then start the jail's
|
|
.Pa /etc/rc
|
|
script from within the jail.
|
|
.Pp
|
|
NOTE: If you plan to allow untrusted users to have root access inside the
|
|
jail, you may wish to consider setting the jail.set_hostname_allowed to
|
|
0. Please see the management reasons why this is a good idea. If you
|
|
do decide to set this variable, it must be set before starting any jails,
|
|
and once each boot.
|
|
.Bd -literal -offset indent
|
|
# ifconfig ed0 inet alias 192.168.11.100 netmask 255.255.255.255
|
|
# mount -t procfs proc /data/jail/192.168.11.100/proc
|
|
# jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\
|
|
/bin/sh /etc/rc
|
|
.Ed
|
|
.Pp
|
|
A few warnings will be produced, because most
|
|
.Xr sysctl 8
|
|
configuration variables cannot be set from within the jail, as they are
|
|
global across all jails and the host environment.
|
|
However, it should all
|
|
work properly.
|
|
You should be able to see
|
|
.Xr inetd 8 ,
|
|
.Xr syslogd 8 ,
|
|
and other processes running within the jail using
|
|
.Xr ps 1 ,
|
|
with the
|
|
.Dq J
|
|
flag appearing beside jailed processes. You should also be able to
|
|
telnet to the hostname or IP address of the jailed environment, and log
|
|
in using the accounts you created previously.
|
|
.Ss Managing the jail
|
|
Normal machine shutdown commands, such as
|
|
.Xr halt 8 ,
|
|
.Xr reboot 8 ,
|
|
and
|
|
.Xr shutdown 8 ,
|
|
cannot be used successfully within the jail. To kill all processes in a
|
|
jail, you may log into the jail and, as root, use one of the following
|
|
commands, depending on what you want to accomplish:
|
|
.Pp
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
.Li kill -TERM -1
|
|
.It
|
|
.Li kill -KILL -1
|
|
.El
|
|
.Pp
|
|
This will send the
|
|
.Dq TERM
|
|
or
|
|
.Dq KILL
|
|
signals to all processes in the jail from within the jail. Depending on
|
|
the intended use of the jail, you may also want to run
|
|
.Pa /etc/rc.shutdown
|
|
from within the jail. Currently there is no way to insert new processes
|
|
into a jail, so you must first log into the jail before performing these
|
|
actions.
|
|
.Pp
|
|
To kill processes from outside the jail, you must individually identify the
|
|
PID of each process to be killed. The
|
|
.Pa /proc/ Ns Va pid Ns Pa /status
|
|
file contains, as its last field, the hostname of the jail in which the
|
|
process runs, or
|
|
.Dq -
|
|
to indicate that the process is not running within a jail. The
|
|
.Xr ps 1
|
|
command also shows a
|
|
.Dq J
|
|
flag for processes in a jail. However, the hostname for a jail may be, by
|
|
default, modified from within the jail, so the
|
|
.Pa /proc
|
|
status entry is unreliable by default. To disable the setting of the hostname
|
|
from within a jail, set the
|
|
.Dq Va jail.set_hostname_allowed
|
|
sysctl variable in the host environment to 0, which will affect all jails.
|
|
You can have this sysctl set each boot using
|
|
.Xr sysctl.conf 5 .
|
|
Just add the following line to sysctl.conf:
|
|
.Bd -literal -offset indent
|
|
jail.set_hostname_allowed=0
|
|
.Ed
|
|
.Pp
|
|
In a future version of
|
|
.Fx ,
|
|
the mechanisms for managing jails will be
|
|
more refined.
|
|
.Ss Sysctl MIB Entries
|
|
Certain aspects of the jail containments environment may be modified from
|
|
the host environment using
|
|
.Xr sysctl 8
|
|
MIB variables.
|
|
Currently, these variables affect all jails on the system, although in
|
|
the future this functionality may be finer grained.
|
|
.Bl -tag -width XXX
|
|
.It jail.set_hostname_allowed
|
|
This MIB entry determines whether or not processes within a jail are
|
|
allowed to change their hostname via
|
|
.Xr hostname 1
|
|
or
|
|
.Xr sethostname 3 .
|
|
In the current jail implementation, the ability to set the hostname from
|
|
within the jail can impact management tools relying on the accuracy of jail
|
|
information in
|
|
.Pa /proc .
|
|
As such, this should be disabled in environments where privileged access to
|
|
jails is given out to untrusted parties.
|
|
.It jail.socket_unixiproute_only
|
|
The jail functionality binds an IPv4 address to each jail, and limits
|
|
access to other network addresses in the IPv4 space that may be available
|
|
in the host environment.
|
|
However, jail is not currently able to limit access to other network
|
|
protocol stacks that have not had jail functionality added to them.
|
|
As such, by default, processes within jails may only access protocols
|
|
in the following domains:
|
|
.Dv PF_LOCAL ,
|
|
.Dv PF_INET ,
|
|
and
|
|
.Dv PF_ROUTE ,
|
|
permitting them access to UNIX domain sockets,
|
|
IPv4 addresses, and routing sockets.
|
|
To enable access to other domains, this MIB variable may be set to
|
|
0.
|
|
.It jail.sysvipc_allowed
|
|
This MIB entry determines whether or not processes within a jail have access
|
|
to System V IPC primitives.
|
|
In the current jail implementation, System V primitives share a single
|
|
namespace across the host and jail environments, meaning that processes
|
|
within a jail would be able to communicate with (and potentially interfere
|
|
with) processes outside of the jail, and in other jails.
|
|
As such, this functionality is disabled by default, but can be enabled
|
|
by setting this MIB entry to 1.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr newaliases 1 ,
|
|
.Xr ps 1 ,
|
|
.Xr chroot 2 ,
|
|
.Xr jail 2 ,
|
|
.Xr procfs 5 ,
|
|
.Xr rc.conf 5 ,
|
|
.Xr sysctl.conf 5 ,
|
|
.Xr halt 8 ,
|
|
.Xr inetd 8 ,
|
|
.Xr named 8 ,
|
|
.Xr reboot 8 ,
|
|
.Xr rpcbind 8 ,
|
|
.Xr sendmail 8 ,
|
|
.Xr shutdown 8 ,
|
|
.Xr sysctl 8 ,
|
|
.Xr syslogd 8
|
|
.Sh HISTORY
|
|
The
|
|
.Fn jail
|
|
function call appeared in
|
|
.Fx 4.0 .
|
|
.Sh AUTHORS
|
|
The jail feature was written by
|
|
.An Poul-Henning Kamp
|
|
for R&D Associates
|
|
.Dq Li http://www.rndassociates.com/
|
|
who contributed it to
|
|
.Fx .
|
|
.Pp
|
|
Robert Watson wrote the extended documentation, found a few bugs, added
|
|
a few new features, and cleaned up the userland jail environment.
|
|
.Sh BUGS
|
|
Jail currently lacks strong management functionality, such as the ability
|
|
to deliver signals to all processes in a jail, and to allow access to
|
|
specific jail information via
|
|
.Xr ps 1
|
|
as opposed to
|
|
.Xr procfs 5 .
|
|
Similarly, it might be a good idea to add an
|
|
address alias flag such that daemons listening on all IPs (INADDR_ANY)
|
|
will not bind on that address, which would facilitate building a safe
|
|
host environment such that host daemons do not impose on services offered
|
|
from within jails. Currently, the simplist answer is to minimize services
|
|
offered on the host, possibly limiting it to services offered from
|
|
.Xr inetd 8
|
|
which is easily configurable.
|