Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [jail]

Jails improve on the concept of the traditional chroot environment in several ways. In a traditional chroot environment, processes are only limited in the part of the file system they can access.

One of the tools which can be used to enhance the security of a FreeBSD system is jails.

Jails have been available since FreeBSD 4.X and continue to be enhanced in their usefulness, performance, reliability, and security.

Jails build upon the chroot(2) concept, which is used to change the root directory of a set of processes, creating a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system.

However, a chroot has several limitations. It is suited to easy tasks which do not require much flexibility or complex, advanced features. Over time many ways have been found to escape from a chrooted environment, making it a less than ideal solution for securing services.

Jails improve on the concept of the traditional chroot environment in several ways. In a traditional chroot environment, processes are only limited in the part of the file system they can access. The rest of the system resources, system users, running processes, and the networking subsystem are shared by the chrooted processes and the processes of the host system.

Jails expand this model by virtualizing access to the file system, the set of users, and the networking subsystem. More fine-grained controls are available for tuning the access of a jailed environment. Jails can be considered as a type of operating system-level virtualization.

A jail is characterized by four elements:

A directory subtree: the starting point from which a jail is entered. Once inside the jail, a process is not permitted to escape outside of this subtree.

A hostname: which will be used by the jail.

An IP address: which is assigned to the jail. The IP address of a jail is often an alias address for an existing network interface.

A command: the path name of an executable to run inside the jail. The path is relative to the root directory of the jail environment.

Jails have their own set of users and their own root account which are limited to the jail environment.

The root account of a jail is not allowed to perform operations to the system outside of the associated jail environment.

More:

114 questions
1
vote
2 answers

How to connect FreeBSD Jail to network

So recently I successfully installed and configured a freebsd jail and I would like to install software within my jail but I cannot connect to the network. I'm trying to setup an apache+php+mysql installation within the jail and have the webserver…
jgtumusiime
  • 213
  • 2
  • 4
  • 11
1
vote
1 answer

Chroot jail of Nginx and php

I'm hosting multiple websites on one VPS, and want to chroot each website, eg. /chroot/website1 /chroot/website2 I'm using makejail, which is a highlevel tool, for creating the jails, and copying the libraries and dependencies. Easy peasy. Each…
sqren
  • 249
  • 1
  • 13
1
vote
2 answers

FreeBSD - Can't access jail from SSH

I need your help for solving an SSH+FreeBSD+jails authentication issue. I've (almost) successfully set up a jailed environment on my FreeBSD 8.2 box. My FreeBSD host has 2 network interfaces: 192.168.1.41/24 (regular network) and 172.16.100.41/24…
Romain
  • 115
  • 1
  • 6
1
vote
1 answer

Is it possible to run dhcpd3 as non-root user in a chroot jail?

I would like to run dhcpd3 from a chroot jail on Debian Lenny. At the moment, I can run it as root from my jail. Now I want to do this as non-root user (as "-u blah -t /path/to/jail" Bind option). If I start my process like this : start-stop-daemon…
Lenain
  • 11
  • 2
1
vote
1 answer

SFTP - couldnt read packet: connection reset py peer

I have setup SFTP on our development box and would like to jail users into the /var/www/project folder I have added the following to /etc/ssh/sshd_config Match Group developers ChrootDirectory /var/www/project X11Forwarding no …
Tim
  • 171
  • 2
  • 3
  • 8
1
vote
2 answers

System Security (PHP and others)

I have a few important documents that I keep owned by www-data (apache's user) in my /var/www/ folder. They have to be www-data because PHP will write to them at times. I also have users who access the system in /home/ ... They have access to make…
Brian
1
vote
1 answer

A jail that is accessible from network without port forwarding

I am using FreeBSD 7.1 and on my server I have two different jails. One for database and second one for game server. What I need to know is if it is possible to assign game server's jail to public IP so I do not need to forward every port I need? At…
Balon
  • 145
  • 1
  • 8
1
vote
0 answers

FreeNAS unable to resolve hostnames, ping of any external IP returns host's ip instead

The internal IP address of my router changed, and ever since TrueNAS has been misbehaving. None of the jails can resolve a hostname anymore. In troubleshooting this, I discovered that the client cannot ping any external IP address without the…
CragMonkey
  • 111
  • 3
1
vote
1 answer

fail2ban does not start jails on cenots 7

SOLVED - sshd conf file was in wrong directory and with wrong extension i have fallowed this tutorial htf and everything went smoothly, fail2ban starts nicely, i disabled selinux just in case, but sshd jail just does not start. I tried messing with…
Belutak
  • 13
  • 3
1
vote
2 answers

FreeBSD 13 PF blocking jail traffic

After upgrading my FreeBSD system from 12.2 to 13.0-p3 PF is blocking all traffic to my jails. When disabling PF everything works fine (except from being unprotected ;)) I tried to figure out what rule is blocking this traffic by setting 'block in…
GTeley
  • 21
  • 5
1
vote
1 answer

How to move iocage jails from one ZFS pool to another?

What is the process to move iocage and all its jails from one ZFS pool to another? I've tried the process from this post: https://www.ixsystems.com/community/threads/how-to-move-jails-between-pools.72593/post-502840 i.e. iocage export each jail,…
Adam
  • 605
  • 1
  • 7
  • 15
1
vote
1 answer

Cannot stop Postgresql in FreeBsd Jail

I installed postgresql in a jail, it starts automatically after adding postgresql_enable="YES" to /etc/rc.conf), but now I can't stop it. I tried /usr/local/etc/rc.d/postgresql stop, but I've got: pg_ctl: PID file…
leonardorame
  • 327
  • 3
  • 14
0
votes
1 answer

What is a recommended way of thransferring am iocage jail from one host to another

Source iocage thick jail running on FreeBSD-12.0p12 Destination FreeBSD-12.1p1 Both hosts are using zfs. What is the recommended method to transfer an existing iocage thick jail from the source to the destination? Is it as simple as: rsync -aqz -e…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
2 answers

FreeBSD-12 IOCage modifying a jail's /root directory

What is the reason that copying .bash_profile from the host system into the /root directory of an iocage thin jail does not create a file that is visible to the root user when logged on to that jail? In other words, if I do this from the host…
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
1 answer

how to update and maintain multiple jails (ZFS & nullfs skeleton)

There are multiple ways and tools to create jails, and now that disk spaces is becoming cheaper the creation of a full jail (having already compiled a world) is just a matter of seconds: zfs create tank/jails/sandbox zfs create…
nbari
  • 558
  • 1
  • 9
  • 28
1 2 3 4
5
6 7 8