wiki:experiences:igraltist:run-jail
=>  Releases

Current version
Git/Latestdiff: 1.5.5

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
wiki:experiences:igraltist:run-jail [2012/05/13 07:22]
127.0.0.1 (old revision restored)
wiki:experiences:igraltist:run-jail [2012/05/13 07:49]
127.0.0.1 (old revision restored)
Line 258: Line 258:
  
 The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits. The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.
 +
  
  
Line 295: Line 296:
 or in the init.d file. or in the init.d file.
  
-As example ​use the postfix init script. Modify it like below:+As example use the postfix init script. Modify it like below:
 <code bash> <code bash>
 run-jail pdnsd start-stop-daemon --start --quiet --exec /​usr/​sbin/​pdnsd -- -t -s -d -p /​var/​run/​pdnsd.pid ${PDNSDCONFIG} run-jail pdnsd start-stop-daemon --start --quiet --exec /​usr/​sbin/​pdnsd -- -t -s -d -p /​var/​run/​pdnsd.pid ${PDNSDCONFIG}
Line 301: Line 302:
  
 Then stop and start the service again. Then stop and start the service again.
 +
 +Or just use ping on cmdline:
 +(the optional parameter --show display the full translated command)
 +<code bash>
 +run-jail ping ping heise.de -t 3 --show
 +</​code>​
 +
  
 <​del>​FIXME:​ substitute numeric values into human readable names from ps-jail <​del>​FIXME:​ substitute numeric values into human readable names from ps-jail
Line 306: Line 314:
  
 In rsbac-tools there is a tool ps-jail which display processes are in a jail. In rsbac-tools there is a tool ps-jail which display processes are in a jail.
-Or does a:+<code bash> 
 +ps-jail -h 
 +</​code>​ 
 + 
 +Or do a:
 <code bash> <code bash>
 cat /​proc/​rsbac-info/​jails cat /​proc/​rsbac-info/​jails
 </​code>​ </​code>​
 +
  
  
Line 340: Line 353:
 This policies are tested and working so far. This policies are tested and working so far.
  
-  * [[wiki:experiences/igraltist/jail_apache2|Setup for apache2]] +  * [[http://hg.kasten-edv.de/rsbac-tools/file/tip/cfg/jail|Example configurations ​for run-jail]]
-  * [[wiki:​experiences/igraltist/​jail_apcupsd|Setup for apcupsd]] +
-  * [[wiki:​experiences/​igraltist/​jail_cron|Setup for cron]] +
-  * [[wiki:​experiences/​igraltist/​jail_dbus|Setup for dbus]] +
-  * [[wiki:​experiences/​igraltist/​jail_ddclient|Setup for ddclient]] +
-  * [[wiki:​experiences/​igraltist/​jail_dhcpd|Setup for dhcpd]] +
-  * [[wiki:​experiences/​igraltist/​jail_dmeventd|Setup for dmeventd]] +
-  * [[wiki:​experiences/​igraltist/​jail_hald|Setup for hald]] +
-  * [[wiki:​experiences/​igraltist/​jail_ntpd|Setup for ntpd]] +
-  * [[wiki:​experiences/​igraltist/​jail_pdnsd|Setup for pdnsd]] +
-  * [[wiki:​experiences/​igraltist/​jail_ping|Setup for ping]] +
-  * [[wiki:​experiences/​igraltist/​jail_portmap|Setup for portmap]] +
-  * [[wiki:​experiences/​igraltist/​jail_postfix|Setup for postfix]] +
-  * [[wiki:​experiences/​igraltist/​jail_powernowd|Setup for powernowd]] +
-  * [[wiki:​experiences/​igraltist/​jail_rklogd|Setup for rklogd]] +
-  * [[wiki:​experiences/​igraltist/​jail_rsync|Setup for rsync]] +
-  * [[wiki:​experiences/​igraltist/​jail_samba|Setup for samba]] +
-  * [[wiki:​experiences/​igraltist/​jail_squid|Setup for squid]] +
-  * [[wiki:​experiences/​igraltist/​jail_syslogd|Setup for syslogd]] +
-  * [[wiki:​experiences/​igraltist/​jail_syslog-ng|Setup for syslog-ng]] ​  +
-  * [[wiki:​experiences/igraltist/jail_wget|Setup for wget]] +
-  * [[wiki:​experiences/igraltist/jail_vixie-cron|Setup for vixie-cron]] +
- +
- +
- +
- +
- +
- +
  
  
Line 386: Line 371:
 switch_adf_log GET_STATUS_DATA PROCESS 0 switch_adf_log GET_STATUS_DATA PROCESS 0
 </​code>​ </​code>​
 +
  
  
 ====== Jailed local programs for lazy people ===== ====== Jailed local programs for lazy people =====
 For example, if you want jailed '​ping'​ or '​wget'​ automatic, this does not prevent a using the absolute path. For example, if you want jailed '​ping'​ or '​wget'​ automatic, this does not prevent a using the absolute path.
-The idea behind is simple add a new path to the environ PATH and put it on first place. ​+The idea behind is simple add a new path to the environ ​variable ​PATH and put it on first place. ​
  
 For this do: For this do:
//
wiki/experiences/igraltist/run-jail.txt · Last modified: 2012/07/21 22:01 by 127.0.0.1

wiki/experiences/igraltist/run-jail.txt · Last modified: 2012/07/21 22:01 by 127.0.0.1
This website is kindly hosted by m-privacy