© Corina Rosu, 123RF.com
How to configure and use jailed processes in FreeBSD
Safely Behind Bars
When managing access privileges on Unix, and thus on FreeBSD, you have basically two types of users: those with and those without administrative privileges. This model clearly reaches its limits, however, if you need to create a web administrator, for example. The web admin needs permissions to be able to change certain configuration files or start the HTTP daemon but should not be permitted to change the system configuration.
A solution to this problem would be adding more granularity to access privileges. In FreeBSD, you have the option of working with File Access Control Lists (FACLs) or deploying the Capsicum capability and sandboxing framework. Unfortunately, these approaches substantially increase the administrative overhead, which in turn could have a negative effect on security.
The chroot environment was invented as a way out of this dilemma, but it has some deficiencies from a security standpoint. For example, it is known that an FTP server that allows anonymous access can let users break out of the chroot environment. In the course of time, some improvements were added to chroot, but problems such as the influence of processes outside of chroot were ultimately not resolved.
The Idea Behind Jails
This is where is the concept of the jail comes in: Jails use the positive properties of chroot and at the same time provide absolute protection against manipulation of processes outside the jail. Because a jail relies on a subdirectory tree, a process within the jail cannot access directories and files on the outside. Furthermore, a process inside a jail cannot manipulate the host processes [1]-[5]. Jails thus offer a useful option for providing network services.
However, a jail will not increase the security of a daemon itself. If an FTP daemon has a vulnerability,
...
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Integrating FreeNAS with Windows Active Directory
FreeNAS offers a powerful array of features and is adaptable to a wide range of network-attached storage solutions. We look at integrating Windows Active Directory, taking snapshots, replicating, and backing up. -
A Password Protection Service
Fail2ban is a quick to deploy, easy to set up, and free to use intrusion prevention service that protects your systems from brute force and dictionary attacks. -
Established container solutions in Linux
Container solutions are not newcomers to the virtualization scene; they have existed for years. We look at the different flavors available for Linux systems. -
Capsicum – Additional seasoning for FreeBSD
Applications such as web browsers can open up vulnerabilities and threaten an entire system. As a remedy, Capsicum provides the option of finely granulated allocation of privileges on top of sandboxing. -
Build a Network Attached Storage System with FreeNAS
We provide an overview of FreeNAS and ZFS, its main filesystem, then show you how to set up and maintain a FreeNAS installation.