Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- wiki:experiences:igraltist:run-jail [2011/06/30 04:21] – (old revision restored) 127.0.0.1
+++ wiki:experiences:igraltist:run-jail [2012/07/21 20:01] (current) – (old revision restored) 127.0.0.1
@@ Line 1: / Line 1: @@
-[[wiki:experiences/igraltist#rsbac_jail|Back to igraltist's experiences/RSBAC JAIL]]\\
+[[wiki:experiences/igraltist#JAIL|Back to igraltist's experiences/JAIL]]\\
 ====== run-jail ======
-Visit the [[http://hg.kasten-edv.de/rsbac-tools/file| mericurial repository]].
+Iam using my own tool to manage the RSBAC JAIL.
+See the [[http://hg.kasten-edv.de/rsbac-tools/file| mericurial repository]].
@@ Line 40: / Line 24: @@
 </code>
 No more futher system modification are nessessary.
@@ Line 50: / Line 37: @@
 All jail configuration files are place in directory '/etc/rsbac/jail'.
+Now a python script offer to write a new empty jail definition.\\
+Maybe the name will change in future from this script to create-jail-config.\\
+Just call:
+<code bash>
+create-jail -c my_config
+</code>
+Or the old way be copy paste:\\
 Probably the best way to develop a new jail definition file is to start with an empty file like:
 <code bash>
@@ Line 72: / Line 67: @@
 To learn how to interpret the log messages to develop a jail policy see [[wiki:experiences/igraltist/run-jail/explain-jail-message|explain-jail-message]].
@@ Line 151: / Line 149: @@
 |virtual-user|Use virtual user set.|-V|
 |verbose|Verbose output|-v|
-|debug|Optional to obtain only the output add debug. This is not a rsbac_jail parameter.||
 \\
@@ Line 244: / Line 241: @@
 </code>
-The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability). Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.
+The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.
@@ Line 282: / Line 280: @@
 or in the init.d file.
-As example I use the postfix init script. Modify it like below:
+As example use the postfix init script. Modify it like below:
 <code bash>
 run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}
@@ Line 288: / Line 286: @@
 Then stop and start the service again.
+Or just use ping on cmdline:
+(the optional parameter --show display the full translated command)
+<code bash>
+run-jail ping ping heise.de -t 3 --show
+</code>
 <del>FIXME: substitute numeric values into human readable names from ps-jail
@@ Line 293: / Line 298: @@
 In rsbac-tools there is a tool ps-jail which display processes are in a jail.
-Or does a:
+<code bash>
+ps-jail -h
+</code>
+Or do a:
 <code bash>
 cat /proc/rsbac-info/jails
@@ Line 318: / Line 327: @@
-===== Jail-Configurations files =====
-This policies are tested and working so far.
-  * [[wiki:experiences/igraltist/jail_apache2|Setup for apache2]]
-  * [[wiki:experiences/igraltist/jail_apcupsd|Setup for apcupsd]]
-  * [[wiki:experiences/igraltist/jail_cron|Setup for cron]]
-  * [[wiki:experiences/igraltist/jail_dbus|Setup for dbus]]
-  * [[wiki:experiences/igraltist/jail_dmeventd|Setup for dmeventd]]
-  * [[wiki:experiences/igraltist/jail_hald|Setup for hald]]
-  * [[wiki:experiences/igraltist/jail_ntpd|Setup for ntpd]]
-  * [[wiki:experiences/igraltist/jail_pdnsd|Setup for pdnsd]]
-  * [[wiki:experiences/igraltist/jail_ping|Setup for ping]]
-  * [[wiki:experiences/igraltist/jail_portmap|Setup for portmap]]
-  * [[wiki:experiences/igraltist/jail_postfix|Setup for postfix]]
-  * [[wiki:experiences/igraltist/jail_powernowd|Setup for powernowd]]
-  * [[wiki:experiences/igraltist/jail_rsync|Setup for rsync]]
-  * [[wiki:experiences/igraltist/jail_samba|Setup for samba]]
-__  * [[wiki:experiences/igraltist/jail_shorewall|Setup for shorewall]]__
-  * [[wiki:experiences/igraltist/jail_squid|Setup for squid]]
-  * [[wiki:experiences/igraltist/jail_syslogd|Setup for syslogd]]
-  * [[wiki:experiences/igraltist/jail_syslog-ng|Setup for syslog-ng]]
-  * [[wiki:experiences/igraltist/jail_wget|Setup for wget]]
-  * [[wiki:experiences/igraltist/jail_vixie-cron|Setup for vixie-cron]]
@@ Line 347: / Line 334: @@
+===== Jail-Configurations files =====
+This policies are tested and working so far.
+  * [[http://hg.kasten-edv.de/rsbac-tools/file/tip/cfg/jail|Example configurations for run-jail]]
@@ Line 365: / Line 356: @@
 </code>
-For example, if you want jailed 'ping' or 'wget' automatic, therefor I have done:
+====== Jailed local programs for lazy people =====
+For example, if you want jailed 'ping' or 'wget' automatic, this does not prevent a using the absolute path.
+The idea behind is simple add a new path to the environ variable PATH and put it on first place.
+For this do:
 <code bash>
-mkdir /jails
+mkdir /usr/local/jails
 </code>
-The profile must will modified, so that 'bash' in the directory jails as first search.
+The profile must will modified, so that directory /usr/local/jails is the first search path.
-Therefor I have inserted on begin in the PATH the new jails directory.
 For example it can looks like
@@ Line 382: / Line 378: @@
 </code>
-For updating the path execute:
+Updating profile:
 <code bash>
 source /etc/profile
 </code>
-Now the 'jails' directory in the first place to search for a binary file.
+Now the '/usr/local/jails' directory in the first place to search for an executable file.
 Note: The directory  '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script.
@@ Line 394: / Line 390: @@
 <code bash>
-ln -sf /bin/ping /usr/local/jails/ping
+create-jail -p ping
+</code>
+Thats all.\\
+Test it with
+<code bash>
+ping heise.de --show
+</code>
+Output should be similar like:
+<code bash>
+/usr/bin/rsbac_jail  -I 0.0.0.0 -r /bin/ping heise.de
 </code>
-Thats all.
-The jail configuration file 'ping' must be exists.
+The jail configuration file 'ping' must be exists but usally is shipped with the rsbac-tools.
-When this wrapper  not will  needed anymore then simple undo the '/etc/profile' modification and remove the 'jails' directory.
+When this wrapper has no need anymore then simple undo the '/etc/profile' modification and remove the '/usr/local/jails' directory.
 [[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\

//