Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
wiki:experiences:igraltist:run-jail [2012/05/13 07:12] 127.0.0.1 (old revision restored) |
wiki:experiences:igraltist:run-jail [2012/05/13 07:27] 127.0.0.1 (old revision restored) |
||
---|---|---|---|
Line 310: | Line 310: | ||
cat /proc/rsbac-info/jails | cat /proc/rsbac-info/jails | ||
</code> | </code> | ||
+ | |||
Line 340: | Line 341: | ||
This policies are tested and working so far. | This policies are tested and working so far. | ||
- | * [[wiki:experiences/igraltist/jail_apache2|Setup for apache2]] | + | * [[http://hg.kasten-edv.de/rsbac-tools/file/tip/cfg/jail|Example configurations for run-jail]] |
- | * [[wiki:experiences/igraltist/jail_apcupsd|Setup for apcupsd]] | + | |
- | * [[wiki:experiences/igraltist/jail_cron|Setup for cron]] | + | |
- | * [[wiki:experiences/igraltist/jail_dbus|Setup for dbus]] | + | |
- | * [[wiki:experiences/igraltist/jail_ddclient|Setup for ddclient]] | + | |
- | * [[wiki:experiences/igraltist/jail_dhcpd|Setup for dhcpd]] | + | |
- | * [[wiki:experiences/igraltist/jail_dmeventd|Setup for dmeventd]] | + | |
- | * [[wiki:experiences/igraltist/jail_hald|Setup for hald]] | + | |
- | * [[wiki:experiences/igraltist/jail_ntpd|Setup for ntpd]] | + | |
- | * [[wiki:experiences/igraltist/jail_pdnsd|Setup for pdnsd]] | + | |
- | * [[wiki:experiences/igraltist/jail_ping|Setup for ping]] | + | |
- | * [[wiki:experiences/igraltist/jail_portmap|Setup for portmap]] | + | |
- | * [[wiki:experiences/igraltist/jail_postfix|Setup for postfix]] | + | |
- | * [[wiki:experiences/igraltist/jail_powernowd|Setup for powernowd]] | + | |
- | * [[wiki:experiences/igraltist/jail_rklogd|Setup for rklogd]] | + | |
- | * [[wiki:experiences/igraltist/jail_rsync|Setup for rsync]] | + | |
- | * [[wiki:experiences/igraltist/jail_samba|Setup for samba]] | + | |
- | * [[wiki:experiences/igraltist/jail_squid|Setup for squid]] | + | |
- | * [[wiki:experiences/igraltist/jail_syslogd|Setup for syslogd]] | + | |
- | * [[wiki:experiences/igraltist/jail_syslog-ng|Setup for syslog-ng]] | + | |
- | * [[wiki:experiences/igraltist/jail_wget|Setup for wget]] | + | |
- | * [[wiki:experiences/igraltist/jail_vixie-cron|Setup for vixie-cron]] | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
Line 386: | Line 360: | ||
</code> | </code> | ||
- | For example, if you want jailed 'ping' or 'wget' automatic, therefor I have done: | + | |
+ | |||
+ | ====== Jailed local programs for lazy people ===== | ||
+ | For example, if you want jailed 'ping' or 'wget' automatic, this does not prevent a using the absolute path. | ||
+ | The idea behind is simple add a new path to the environ variable PATH and put it on first place. | ||
+ | |||
+ | For this do: | ||
<code bash> | <code bash> | ||
- | mkdir /jails | + | mkdir /usr/local/jails |
</code> | </code> | ||
- | The profile must will modified, so that 'bash' in the directory jails as first search. | + | The profile must will modified, so that directory /usr/local/jails is the first search path. |
- | Therefor I have inserted on begin in the PATH the new jails directory. | + | |
For example it can looks like | For example it can looks like | ||
Line 403: | Line 382: | ||
</code> | </code> | ||
- | For updating the path execute: | + | Updating profile: |
<code bash> | <code bash> | ||
source /etc/profile | source /etc/profile | ||
</code> | </code> | ||
- | Now the 'jails' directory in the first place to search for a binary file. | + | Now the '/usr/local/jails' directory in the first place to search for an executable file. |
Note: The directory '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script. | Note: The directory '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script. | ||
Line 415: | Line 394: | ||
<code bash> | <code bash> | ||
- | ln -sf /bin/ping /usr/local/jails/ping | + | create-jail -p ping |
+ | </code> | ||
+ | |||
+ | Thats all.\\ | ||
+ | Test it with | ||
+ | |||
+ | <code bash> | ||
+ | ping heise.de --show | ||
+ | </code> | ||
+ | |||
+ | Output should be similar like: | ||
+ | <code bash> | ||
+ | /usr/bin/rsbac_jail -I 0.0.0.0 -r /bin/ping heise.de | ||
</code> | </code> | ||
- | Thats all. | ||
- | The jail configuration file 'ping' must be exists. | + | The jail configuration file 'ping' must be exists but usally is shipped with the rsbac-tools. |
- | When this wrapper not will needed anymore then simple undo the '/etc/profile' modification and remove the 'jails' directory. | + | When this wrapper has no need anymore then simple undo the '/etc/profile' modification and remove the '/usr/local/jails' directory. |
[[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\ | [[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\ |