Date: Wed, 27 Dec 2006 20:21:06 +0000 From: Florent Thoumie <flz@xbsd.org> To: Philipp Wuensche <cryx-freebsd@h3q.com> Cc: "Raphael H. Becker" <rabe@p-i-n.com>, re@FreeBSD.org, freebsd-rc@freebsd.org, freebsd-stable@freebsd.org Subject: Re: /etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error in jails /etc/rc? Message-ID: <4592D5B2.3040406@xbsd.org> In-Reply-To: <458B4479.7060408@h3q.com> References: <20061219003401.GA23251@p-i-n.com> <458B4479.7060408@h3q.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig13864EA1DF5336FB601E633F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Philipp Wuensche wrote: > Raphael H. Becker wrote: >> Hi *, >> >> I recently triggered an error when setting up a jail-host: I configure= d >> the jail(s) like evry jail I set up in the past: >=20 > Yes, this is a bug in rc.d/jail and was introduced in this change: > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=3D1.31&= r2=3D1.32. >=20 > When a jail fails to start, in your case a broken rc.conf in the jail, > the jail is stopped and the ipaddr-alias is unconfigured from the > interface with the following command: ifconfig ${jail_interface} -alias= > ${jail_ip} >=20 > Unfortunately in the change above the variables were renamed to > _interface and _ip, this leads to ifconfig getting executed without a > specified ipaddr. and therefore the first alias is unconfigured, which > is in most cases the ipaddr. you are having access to the remote host. >=20 > ${jail_interface} is only the correct interface out of luck, so it > should be changed to _interface too. >=20 > I think the correct way would be to call jail_stop() instead of doing > the cleanup by hand but in the current implementation this would leave > the ipaddr-alias configured on the interface. >=20 > I think I already mentioned once that I don't like this interface and > ipaddr. configuration feature in rc.d/jail at all. >=20 > Anyway, the quick fix is trivial and should be included in 6.2. > Otherwise we have a possible DoS security problem with the new release.= >=20 > --- rc.d/jail.old Fri Dec 22 03:09:27 2006 > +++ rc.d/jail Fri Dec 22 03:10:07 2006 > @@ -228,8 +228,8 @@ > echo ${_jail_id} > /var/run/jail_${_jai= l}.id > else > jail_umount_fs > - if [ -n "${jail_interface}" ]; then > - ifconfig ${jail_interface} > -alias ${jail_ip} > + if [ -n "${_interface}" ]; then > + ifconfig ${_interface} -alias $= {_ip} > fi > echo " cannot start jail \"${_jail}\": = " > tail +2 ${_tmp_jail} Patch looks good. Would be indeed nice to have this fixed before 6.2R is released. --=20 Florent Thoumie flz@FreeBSD.org FreeBSD Committer --------------enig13864EA1DF5336FB601E633F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFktW7MxEkbVFH3PQRAjzeAJ99e+YvVKp2i38KzabbC5NI2y70QQCggrRK SL2FMc2jk0avyQ5BIvOCrxc= =m+TF -----END PGP SIGNATURE----- --------------enig13864EA1DF5336FB601E633F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4592D5B2.3040406>