wiki:experiences:igraltist:run-jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:experiences:igraltist:run-jail [2012/05/13 05:11] – (old revision restored) 127.0.0.1wiki:experiences:igraltist:run-jail [2012/07/21 20:01] (current) – (old revision restored) 127.0.0.1
Line 1: Line 1:
-[[wiki:experiences/igraltist#rsbac_jail|Back to igraltist's experiences/RSBAC JAIL]]\\ +[[wiki:experiences/igraltist#JAIL|Back to igraltist's experiences/JAIL]]\\
- +
- +
- +
- +
- +
- +
- +
- +
- +
  
 ====== run-jail ====== ====== run-jail ======
-Visit the [[http://hg.kasten-edv.de/rsbac-tools/file| mericurial repository]]. +Iam using my own tool to manage the RSBAC JAIL.
- +
- +
- +
- +
- +
- +
  
 +See the [[http://hg.kasten-edv.de/rsbac-tools/file| mericurial repository]].
  
  
Line 83: Line 67:
  
 To learn how to interpret the log messages to develop a jail policy see [[wiki:experiences/igraltist/run-jail/explain-jail-message|explain-jail-message]]. To learn how to interpret the log messages to develop a jail policy see [[wiki:experiences/igraltist/run-jail/explain-jail-message|explain-jail-message]].
 +
  
  
Line 256: Line 241:
 </code> </code>
  
-The above example does not run the application in a chroot. It is not restricted to any particular nework interface.\\ And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).\\Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.+The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits. 
  
  
Line 294: Line 280:
 or in the init.d file. or in the init.d file.
  
-As example use the postfix init script. Modify it like below:+As example use the postfix init script. Modify it like below:
 <code bash> <code bash>
 run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG} run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}
Line 300: Line 286:
  
 Then stop and start the service again. Then stop and start the service again.
 +
 +Or just use ping on cmdline:
 +(the optional parameter --show display the full translated command)
 +<code bash>
 +run-jail ping ping heise.de -t 3 --show
 +</code>
 +
  
 <del>FIXME: substitute numeric values into human readable names from ps-jail <del>FIXME: substitute numeric values into human readable names from ps-jail
Line 305: Line 298:
  
 In rsbac-tools there is a tool ps-jail which display processes are in a jail. In rsbac-tools there is a tool ps-jail which display processes are in a jail.
-Or does a:+<code bash> 
 +ps-jail -h 
 +</code> 
 + 
 +Or do a:
 <code bash> <code bash>
 cat /proc/rsbac-info/jails cat /proc/rsbac-info/jails
 </code> </code>
 +
  
  
Line 339: Line 337:
 This policies are tested and working so far. This policies are tested and working so far.
  
-  * [[wiki:experiences/igraltist/jail_apache2|Setup for apache2]] +  * [[http://hg.kasten-edv.de/rsbac-tools/file/tip/cfg/jail|Example configurations for run-jail]]
-  * [[wiki:experiences/igraltist/jail_apcupsd|Setup for apcupsd]] +
-  * [[wiki:experiences/igraltist/jail_cron|Setup for cron]] +
-  * [[wiki:experiences/igraltist/jail_dbus|Setup for dbus]] +
-  * [[wiki:experiences/igraltist/jail_ddclient|Setup for ddclient]] +
-  * [[wiki:experiences/igraltist/jail_dhcpd|Setup for dhcpd]] +
-  * [[wiki:experiences/igraltist/jail_dmeventd|Setup for dmeventd]] +
-  * [[wiki:experiences/igraltist/jail_hald|Setup for hald]] +
-  * [[wiki:experiences/igraltist/jail_ntpd|Setup for ntpd]] +
-  * [[wiki:experiences/igraltist/jail_pdnsd|Setup for pdnsd]] +
-  * [[wiki:experiences/igraltist/jail_ping|Setup for ping]] +
-  * [[wiki:experiences/igraltist/jail_portmap|Setup for portmap]] +
-  * [[wiki:experiences/igraltist/jail_postfix|Setup for postfix]] +
-  * [[wiki:experiences/igraltist/jail_powernowd|Setup for powernowd]] +
-  * [[wiki:experiences/igraltist/jail_rklogd|Setup for rklogd]] +
-  * [[wiki:experiences/igraltist/jail_rsync|Setup for rsync]] +
-  * [[wiki:experiences/igraltist/jail_samba|Setup for samba]] +
-  * [[wiki:experiences/igraltist/jail_squid|Setup for squid]] +
-  * [[wiki:experiences/igraltist/jail_syslogd|Setup for syslogd]] +
-  * [[wiki:experiences/igraltist/jail_syslog-ng|Setup for syslog-ng]]   +
-  * [[wiki:experiences/igraltist/jail_wget|Setup for wget]] +
-  * [[wiki:experiences/igraltist/jail_vixie-cron|Setup for vixie-cron]] +
- +
- +
- +
- +
- +
  
  
Line 385: Line 356:
 </code> </code>
  
-For example, if you want jailed 'ping' or 'wget' automatic, therefor I have done:+ 
 + 
 +====== Jailed local programs for lazy people ===== 
 +For example, if you want jailed 'ping' or 'wget' automatic, this does not prevent a using the absolute path. 
 +The idea behind is simple add a new path to the environ variable PATH and put it on first place.  
 + 
 +For this do:
 <code bash> <code bash>
-mkdir /jails+mkdir /usr/local/jails
 </code> </code>
  
-The profile must will modified, so that 'bash' in the directory jails as first search+The profile must will modified, so that directory /usr/local/jails is the first search path.
-Therefor I have inserted on begin in the PATH the new jails directory.+
  
 For example it can looks like For example it can looks like
Line 402: Line 378:
 </code> </code>
  
-For updating the path execute:+Updating profile:
 <code bash> <code bash>
 source /etc/profile source /etc/profile
 </code> </code>
  
-Now the 'jails' directory in the first place to search for a binary file.+Now the '/usr/local/jails' directory in the first place to search for an executable file.
  
 Note: The directory  '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script. Note: The directory  '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script.
Line 414: Line 390:
  
 <code bash> <code bash>
-ln -sf /bin/ping /usr/local/jails/ping+create-jail -p ping  
 +</code> 
 + 
 +Thats all.\\ 
 +Test it with  
 + 
 +<code bash> 
 +ping heise.de --show 
 +</code> 
 + 
 +Output should be similar like: 
 +<code bash> 
 +/usr/bin/rsbac_jail  -I 0.0.0.0 -r /bin/ping heise.de
 </code> </code>
  
-Thats all. 
  
-The jail configuration file 'ping' must be exists.+The jail configuration file 'ping' must be exists but usally is shipped with the rsbac-tools.
  
-When this wrapper  not will  needed anymore then simple undo the '/etc/profile' modification and remove the 'jails' directory.+When this wrapper has no need anymore then simple undo the '/etc/profile' modification and remove the '/usr/local/jails' directory.
  
 [[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\ [[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\
//
wiki/experiences/igraltist/run-jail.1336885908.txt.gz · Last modified: 2012/05/13 05:11 by 127.0.0.1

wiki/experiences/igraltist/run-jail.1336885908.txt.gz · Last modified: 2012/05/13 05:11 by 127.0.0.1
This website is kindly hosted by m-privacy