Jails are tools available for FreeBSD to enhance the security for our systems. The concept for a jail is very similar with the chroot but jails are an improvement of it. Chroot limits a process to see only a part of the filesystem, but the rest of the resources like the users, system process or network subsystems are shared between the chroot system and the server. The Jails virtualize the access to the filesystem, the users and the network subsystem from the FreeBSD kernel, creating “subsystems” with his own users, filesystem hierarchy, processes, network… on the same system. Basically a Jail is composed by:
- Subtree directories.
- A hostname to identify the jail.
- An IP address associated with the jail (it could be an alias for a network interface).
- A command to run inside the jail.
With jails we can improve our server security separating the different services, if one of them is violated only the jail system is affected and the service running inside. It’s very common to compare jails with virtual machines, but are not the same. Virtual machines runs operating systems, under an hypervisor and virtualize the different resources for the virtual machines like CPU, RAM, disk, network adapters, etc… the jails only has a part of the filesystem, an ip address, hostname and application running under this, but all the jails are running on the same kernel.
Install FreeBSD sources
We can install the FreeBSD sources from the freebsd.org ftp or from a iso image of our freebsd version.
– Download from freebsd.org:
[64 bits]
# cd /tmp ; wget ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/9.0-RELEASE/src.txz
[32 bits]
# cd /tmp ; wget ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/9.0-RELEASE/src.txz
– Unpack the downloaded package:
# tar -C / -xvzf src.txz
– Extract from the DVD image:
# mkdir /media/cdrom # mount_cd9660 /dev/cd0 /media/cdrom # cd /media/cdrom/usr/freebsd-dist/ # tar -C / -xvzf src.txz
Creating the tree directories structure for the new jail
– Creating the basic binaries, man pages, libraries and other system utilities to the new jail directory:
# mkdir -p /usr/jails/http # cd /usr/src/ # make world DESTDIR=/usr/jails/http/
– Installing all the file configuration for the new jail:
# make distribution DESTDIR=/usr/jails/http/
– Mounting the filesystem devfs, it may be necessary for some services or applications to some device system:
# mount -t devfs devfs /usr/jails/http/dev
Starting automatically the jails configured in our system at boot
– Edit /etc/rc.conf:
# vi /etc/rc.conf ifconfig_em0="inet 192.168.1.138 netmask 255.255.255.0" ifconfig_em0_alias0="inet 192.168.1.132 netmask 255.255.255.0" jail_enable="YES" jail_list="http" jail_http_rootdir="/usr/jails/http" jail_http_hostname="www.myhome.net" jail_http_ip="192.168.1.132" jail_http_devfs_enable="YES"
Starting our new jail
# /etc/rc.d/jail start http
Managing a specific jail on a system
– Show the list of Jails configured in our system:
# jls
– Execute commands in our jails:
# jexec 2 pwd
– Opening a shell with the jail:
# jexec 2 csh