Date: Fri, 23 Aug 2013 09:53:05 -0500 From: Scott Lambert <lambert@lambertfam.org> To: freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) Message-ID: <20130823145305.GZ99960@www.jail.lambertfam.org> In-Reply-To: <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu> References: <52177C19.6040909@gmail.com> <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 23, 2013 at 09:35:43AM -0500, Valeri Galtsev wrote:
> To the best of my knowledge, raw sockets are not allowed inside jail by
> default. This might be your problem (as far as I know how nagios works).
>
> To allow raw sockets you can do
>
> sysctl security.jail.allow_raw_sockets=1
>
> then you need to restart at least the jail inside which your nagios
> instance lives.
>
> To make the above enabled at boot time you can add the following line into
> /etc/sysctl.conf
>
> security.jail.allow_raw_sockets=1
>
> BTW, beware: this affects all jails.
All correct.
Putting this in /etc/rc.conf:
jail_${JailName}_parameters="allow.raw_sockets=1"
does not allow every jail access to raw sockets. There is an example in
/etc/defaults/rc.conf.
If you are using ezjails, just add that with a leading "export " the to
the end of your /usr/local/etc/ezjail/${JailName} config file.
> On Fri, August 23, 2013 10:13 am, Mike C. wrote:
> >
> > I'm having a problem with nagios under a jail... commands works has root
> > and another normal user I created (its not even in the wheel group)
> >
> > running commands such has "check_http" get me a Operation not permited,
> > with ktrace I was able to confirm the probelm:
> > connect -1 errno 1 Operation not permitted
> >
> >
> > The thing is this only happens with the user nagios and I can not figure
> > out why!
> >
> > I'm very new to jails, so I'm user I'm possibly missing something
> > trivial, but I would appreciate an help!
> >
> > What could be different about the user to not allow "connect" ?
> >
> > Many thanks
> >
> > _______________________________________________
> > freebsd-jail@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
> >
>
>
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
--
Scott Lambert KC5MLE Unix SysAdmin
lambert@lambertfam.org
How to be a "computer expert," http://www.xkcd.com/627/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130823145305.GZ99960>