Re: Server chroot jail-like advice

Hi,

Well AFAIK there is no such thing yet in NetBSD (or at least officially). NetBSD 9 will have it's own "KVM" like virtualisation solution named NVMM for AMD64 ( AKA x86_64). You can use also Xen. There was a solution back in the time named "sysjail" but it's deprecated because of serious security issues (see https://en.wikipedia.org/wiki/Sysjail).

I personally use sailor ( https://gitlab.com/iMil/sailor ) but it's not supported by the NetBSD team.

IMHO that's a project the NetBSD team should be working on. Jails/Zones/Container or any Kernel Level virtualisation would totally align with NetBSD goal : Portability

On Thu, Oct 10, 2019 at 11:10 AM Luis P. Mendes <luislupe%gmx.com@localhost> wrote:

Hi,

I've been using FreeBSD and it's jail system to power my server needs.
One jail for the database server, providing a unix socket that is null
mounted at other jails with webservers, mainly.

As I don't find many readings about this kind of setup in NetBSD, I'd
like to know what do you do regarding the need to secure a database
server, a webserver with php, for example.

Do you chroot each service?
Use ldd to find the missing components for the services to run?
Do it all by hand or is there an automation tools that helps?
How about the network stuff? With jails and pf I can route some
traffic to a specific jail running some service. How do you manage
this in NetBSD land?

--

Luis Mendes