[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Automated rsync jail creating program
From: |
Bas Jansen |
Subject: |
Re: [Jailkit-users] Automated rsync jail creating program |
Date: |
Thu, 01 Dec 2005 15:48:48 +0100 |
Hey everyone again,
I managed to get this in a working prototype where 1 of the scripts
initiates a jailcreation and gives me a /bla/alb/ which contains
a /dev /usr /bin /lib and /home, i then change the /home to /data (tho
this isnt really necessary). Create a 1LVM block large FS (37 meg
default atm) and mv the /bla/alb/* files to there and run a mount --bind
-r /chroot on it after i made it a file system.
A other script is able to then make this all into ready to go rsync
jails by adding a user to regular /etc/passwd, remounting /chroot as rw
and changing the /etc/passwd there, then remounting it to read only and
mounting the entire /chroot as a bind mount on /your_root/user. Then i
use a shared storage disk and mount it on /your_root/user/data (the new
home), this mount is RW, noexec, nosuid, nodev.
By doing this all (tho it may seem paranoid) i am convinced i have
created a ready to go unbreakable root jail even tho it runs several
processes as root.
If any of you have any requests or questions feel free to post them and
i may be able to put them in release 0.1 still :)
Greetings,
Bas "Tarskin" Jansen
On Wed, 2005-11-30 at 17:02 +0100, Bas Jansen wrote:
> Hello everyone,
>
> on advise from olivier i figured i might as well post this to you all in
> case someone might be interested in it.. it is still in quite early
> stages and i plan to throw it all around tomorrow again and work with
> read only mounts combined with writeable, no-dev, no-exec to see if i
> can get it more secure then that it is atm.
>
> Greetings.
> Bas Jansen
>
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users
- Re: [Jailkit-users] Automated rsync jail creating program,
Bas Jansen <=