# Software usage for a jail?



## Phishfry (Jul 17, 2016)

I am wondering about using sysutils/webmin in a jail as I would like to use the best security practices available. My question is the very nature of Webmin being a server monitoring service with a webgui, would all the features work? My question is how could you "sandbox' webmin in a jail and still have it function?

Am I wrong to equate a sandbox with a jail?

Here it implies Webmin works with jails:
http://doxfer.webmin.com/Webmin/Installation

So from the handbook I would want a service jail correct? I plan on using ez-jails.

I also like dabbling in net/hostapd. Would a separate jail work there too?

What about jails on Arm systems? Is it feasible?


----------



## Maxnix (Jul 17, 2016)

Phishfry said:


> I am wondering about using sysutils/webmin in a jail as I would like to use the best security practices available. My question is the very nature of Webmin being a server monitoring service with a webgui, would all the features work? My question is how could you "sandbox' webmin in a jail and still have it function?


If you intend monitoring your jail with sysutils/webmin, I don't see any reason why it shouldn't work. But I don't think you can run it jailed and to monitor your host system. The access to the host system resources from inside of the jail would defeat the intent of jails themselves.



Phishfry said:


> Am I wrong to equate a sandbox with a jail?


Yes and no. Jails are a form of sandboxing, but not all sandboxnig techniques work like jails. Give a look here: https://en.wikipedia.org/wiki/Sandbox_(computer_security)
Jails are full isolated systems, it's operating-system-level virtualization. Something like capsicum(4) seems what you are looking for, as sandboxing model.



Phishfry said:


> I also like dabbling in net/hostapd. Would a separate jail work there too?


I've never used net/hostapd, but as long it can interface itself with your network card, it should IMO.


----------



## wblock@ (Jul 17, 2016)

I run Icinga2 (a Nagios work-alike) in a jail.  It's just a web server, and I think Webmin is the same.  That will work.  But Webmin has a long history of security problems, and I would try to run something without that history.

Icinga2 can monitor the jail it is in, and much of that is the same as the host.


----------

