Jailing OpenBSD

December 31, 2008

Jail system is well known by FreeBSD users. But the super-hyper-ultra security OpenBSD has not a jail-like system ???

A few weeks ago, I and my friend were talking about security and how to expose a OpenBSD host in the wild Internet…One of his ideas was to use the ChrootDirectory option in OpenSSH…but I wanted a plus…

As I knew the FreeBSD and Jail system very well (I started with this stuff in 5 years past)…I tried to search something equal to OpenBSD…and then I found the incredible sysjail.

Well, let’s see how to install sysjail in OpenBSD 4.4:

• Download the tarball port:

wget http://sysjail.bsd.lv/dist/sysjail-obsd-1.2.34.tar.gz

• Decompress into ports directory:

tar -zxvf sysjail-obsd-1.2.34.tar.gz -C /usr/ports/security

• Try your best (just make)

(cd /usr/ports/security/sysjail && make)

• How you could see, it needs a patch, because currently version works only in OpenBSD 4.3 and earlier

patch.txt:

--- intercepts.h    Fri Jul 18 11:01:50 2008
+++ intercepts.h.new    Tue Dec 30 21:54:10 2008
@@ -1714,7 +1714,7 @@

 #if defined(__OpenBSD__)
 # if OpenBSD == 200711 || OpenBSD == 200705 || \
-         OpenBSD == 200805
+         OpenBSD == 200805 || OpenBSD == 200811
 #  define sj_inttbl    { { sj_obsd_4_0_native, \
                NULL, NULL, \
                sj_obsd_4_1_freebsd, \

cd w-sysjail-1.2.34/sysjail-1.2.34/
patch -p0 < patch.txt

• Try again and be happy

make && make install

Now, it’s time to action!!!

• Preparing the environment:

mkdir -p /usr/local/jail/cerberus

• Getting the binaries:

wget -c \
    ftp://ftp.openbsd.org/pub/OpenBSD/4.4/`uname -m`/\*.tgz

for i in *.tgz;
do
    tar -zxvf $i -C /usr/local/jail/cerberus/;
done

• Essential devices:

cd /usr/local/jail/cerberus/dev

sh ./MAKEDEV std random

• Preparing network (NIC alias)

ifconfig ne3 inet 172.16.0.2 netmask 255.255.255.0 alias

• Creating the jail

/usr/local/sbin/sysjail --quiet --allow-sysvipc \

    --cmd-enable /usr/local/jail/cerberus cerberus \
    172.16.0.2 /bin/sh /etc/rc

• Testing

  • jls

  • ssh 172.16.0.2

  • jail /usr/local/jail/cerberus cerberus 172.16.0.2 /bin/sh

PS.: take care using Sysjail + Systrace