Jailing OpenBSD

December 31, 2008

Jail system is well known by FreeBSD users. But the super-hyper-ultra security OpenBSD has not a jail-like system ???

A few weeks ago, I and my friend were talking about security and how to expose a OpenBSD host in the wild Internet…One of his ideas was to use the ChrootDirectory option in OpenSSH…but I wanted a plus…

As I knew the FreeBSD and Jail system very well (I started with this stuff in 5 years past)…I tried to search something equal to OpenBSD…and then I found the incredible sysjail.

Well, let’s see how to install sysjail in OpenBSD 4.4:

  • Download the tarball port:
wget http://sysjail.bsd.lv/dist/sysjail-obsd-1.2.34.tar.gz
  • Decompress into ports directory:
tar -zxvf sysjail-obsd-1.2.34.tar.gz -C /usr/ports/security
  • Try your best (just make)
(cd /usr/ports/security/sysjail && make)
  • How you could see, it needs a patch, because currently version works only in OpenBSD 4.3 and earlier

patch.txt:

--- intercepts.h    Fri Jul 18 11:01:50 2008
+++ intercepts.h.new    Tue Dec 30 21:54:10 2008
@@ -1714,7 +1714,7 @@

 #if defined(__OpenBSD__)
 # if OpenBSD == 200711 || OpenBSD == 200705 || \
-         OpenBSD == 200805
+         OpenBSD == 200805 || OpenBSD == 200811
 #  define sj_inttbl    { { sj_obsd_4_0_native, \
                NULL, NULL, \
                sj_obsd_4_1_freebsd, \

cd w-sysjail-1.2.34/sysjail-1.2.34/
patch -p0 < patch.txt
  • Try again and be happy :) 
make && make install

Now, it’s time to action!!!

  • Preparing the environment:
mkdir -p /usr/local/jail/cerberus
  • Getting the binaries:
wget -c \
    ftp://ftp.openbsd.org/pub/OpenBSD/4.4/`uname -m`/\*.tgz
for i in *.tgz;
do
    tar -zxvf $i -C /usr/local/jail/cerberus/;
done
  • Essential devices:
cd /usr/local/jail/cerberus/dev
sh ./MAKEDEV std random
  • Preparing network (NIC alias)
ifconfig ne3 inet 172.16.0.2 netmask 255.255.255.0 alias
  • Creating the jail
/usr/local/sbin/sysjail --quiet --allow-sysvipc \
    --cmd-enable /usr/local/jail/cerberus cerberus \
    172.16.0.2 /bin/sh /etc/rc
  • Testing 
    • jls
    • ssh 172.16.0.2
    • jail /usr/local/jail/cerberus cerberus 172.16.0.2 /bin/sh

PS.: take care using Sysjail + Systrace

openbsd

Posted by richizo
Filed in OpenBSD
Tags: , , , ,
Leave a Comment »

Leave a Reply