DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default ezjail /usr/home users and groups question

I created a couple of jails using ezjail and decided against having an admin type login for either jail. Instead ive been just using the jexec command to enter the jails and admin them. Only one of the jails have a ssh login set up and the other only runs an ftpd. The ftpd is pure-ftpd. Well when I am logged in under my normal login change to the /usr/jail/jailname/usr/home/ directory and look at the owner/group of the user/users in the home directory they dont match what shows when I go in to the jails using the jexec command. In fact they both have a very strange owner/group when looking at them from my normal login. When viewing them by entering the jails using the jexec command they display what I would expect. My question is, who should the owner and group of these be when viewing them not logged in to the jail? It seems to have picked strange owners and groups for these and im not sure why.
Reply With Quote
  #2   (View Single Post)  
Old 26th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Remember: /etc/passwd within the host will most likely differ from /etc/passwd within the jail. (Especially if you've installed ports within the jail that create service accounts.)

You're going to want to administer the jail from within the jail.
__________________
Kill your t.v.
Reply With Quote
  #3   (View Single Post)  
Old 26th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
Remember: /etc/passwd within the host will most likely differ from /etc/passwd within the jail. (Especially if you've installed ports within the jail that create service accounts.)

You're going to want to administer the jail from within the jail.

You can do that using the jexec command to enter the jail cant you? Or do I need to created an admin account inside of the jail and do it that way? when I enter the jail using jexec it placed me inside of the jail as root. Thats the way ive set everything up inside of the jails and I get this weird phenomenon of strange owner/group but only when looking at permissions from outside of the jail.
Reply With Quote
  #4   (View Single Post)  
Old 26th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

This will give you a root shell within Jail ID 1:
# jexec 1 /bin/csh

The owner/group phenomenon you're seeing is actually not weird -- it's just that your /etc/passwd between the host and jail do not match.
__________________
Kill your t.v.
Reply With Quote
  #5   (View Single Post)  
Old 26th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
This will give you a root shell within Jail ID 1:
# jexec 1 /bin/csh

The owner/group phenomenon you're seeing is actually not weird -- it's just that your /etc/passwd between the host and jail do not match.

I guess that the uid and the gid wouldnt match would they. Im assuming that this doesnt cause problems? The uid and gid are matching a couple of accounts that are on the host so its showing that they are the owner and group of the jail user directories. This freaked me out a little.
Reply With Quote
  #6   (View Single Post)  
Old 26th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

If you want ownership to match exactly between the host and its jail, it will require a deliberate, ongoing effort to keep /etc/passwd (actually /etc/pwd.db, IIRC) in sync.

Not worth the effort, IMO. Just make sure you don't accidentally give a shell user on the host system ownership of some jail resources. (You're not allowing shell users on the host system anyway, right? Right? )
__________________
Kill your t.v.
Reply With Quote
  #7   (View Single Post)  
Old 27th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
If you want ownership to match exactly between the host and its jail, it will require a deliberate, ongoing effort to keep /etc/passwd (actually /etc/pwd.db, IIRC) in sync.

Not worth the effort, IMO. Just make sure you don't accidentally give a shell user on the host system ownership of some jail resources. (You're not allowing shell users on the host system anyway, right? Right? )
Actually my host system is locked up quite tight. I am the only one with a shell login and it requires a key to login. I would like to tighten up the brute force measures a little but im still lacking in the understanding of PF although I do have a book on it now and am learning although very slowly. Now my only concern is that someone could possibly break out of the jail some how.
Reply With Quote
  #8   (View Single Post)  
Old 8th September 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Thanked 6 Times in 3 Posts
Default

In my opinion there's no need to worry about someone breaking out of a jail as they are very secure. In case your worried that it's very easy to do so try it yourself, it's literally a whole new system inside another like a Russian doll. With regards to virtually stopping brute force attacks I can recommend OSSEC HIDS which will make use of PF and all you'll need to do is add a blacklist table for it to use.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
dhcpd within ezjail? zelut FreeBSD General 7 10th February 2009 10:31 PM
Various Groups -- Information JMJ_coder General software and network 3 20th December 2008 04:35 AM
FTP users sharing same home directory phreud FreeBSD General 6 11th November 2008 10:11 PM
groups.google.com down? jb_daefo Off-Topic 2 23rd September 2008 03:37 AM
Jails, ezjail, apache, very newbie question. neurosis FreeBSD General 15 23rd August 2008 01:38 PM


All times are GMT. The time now is 11:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick