From owner-freebsd-stable@FreeBSD.ORG Wed Dec 27 20:40:09 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 451B016A403; Wed, 27 Dec 2006 20:40:09 +0000 (UTC) (envelope-from flz@xbsd.org) Received: from postfix2-g20.free.fr (postfix2-g20.free.fr [212.27.60.43]) by mx1.freebsd.org (Postfix) with ESMTP id C12C313C473; Wed, 27 Dec 2006 20:40:08 +0000 (UTC) (envelope-from flz@xbsd.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by postfix2-g20.free.fr (Postfix) with ESMTP id 62944847487; Wed, 27 Dec 2006 20:21:28 +0100 (CET) Received: from smtp.xbsd.org (unknown [82.233.2.192]) by smtp1-g19.free.fr (Postfix) with ESMTP id 19B6C9B6F6; Wed, 27 Dec 2006 21:21:23 +0100 (CET) Received: from localhost (localhost.xbsd.org [127.0.0.1]) by smtp.xbsd.org (Postfix) with ESMTP id 89F1F118E6; Wed, 27 Dec 2006 21:21:23 +0100 (CET) X-Virus-Scanned: amavisd-new at xbsd.org Received: from smtp.xbsd.org ([127.0.0.1]) by localhost (srv1.xbsd.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6F4MJQa8Od1; Wed, 27 Dec 2006 21:21:18 +0100 (CET) Received: from [192.168.42.103] (unknown [192.168.42.254]) by smtp.xbsd.org (Postfix) with ESMTP id F00F51174A; Wed, 27 Dec 2006 21:21:17 +0100 (CET) Message-ID: <4592D5B2.3040406@xbsd.org> Date: Wed, 27 Dec 2006 20:21:06 +0000 From: Florent Thoumie User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Philipp Wuensche References: <20061219003401.GA23251@p-i-n.com> <458B4479.7060408@h3q.com> In-Reply-To: <458B4479.7060408@h3q.com> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig13864EA1DF5336FB601E633F" Cc: "Raphael H. Becker" , re@FreeBSD.org, freebsd-rc@freebsd.org, freebsd-stable@freebsd.org Subject: Re: /etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error in jails /etc/rc? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Dec 2006 20:40:09 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig13864EA1DF5336FB601E633F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Philipp Wuensche wrote: > Raphael H. Becker wrote: >> Hi *, >> >> I recently triggered an error when setting up a jail-host: I configure= d >> the jail(s) like evry jail I set up in the past: >=20 > Yes, this is a bug in rc.d/jail and was introduced in this change: > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=3D1.31&= r2=3D1.32. >=20 > When a jail fails to start, in your case a broken rc.conf in the jail, > the jail is stopped and the ipaddr-alias is unconfigured from the > interface with the following command: ifconfig ${jail_interface} -alias= > ${jail_ip} >=20 > Unfortunately in the change above the variables were renamed to > _interface and _ip, this leads to ifconfig getting executed without a > specified ipaddr. and therefore the first alias is unconfigured, which > is in most cases the ipaddr. you are having access to the remote host. >=20 > ${jail_interface} is only the correct interface out of luck, so it > should be changed to _interface too. >=20 > I think the correct way would be to call jail_stop() instead of doing > the cleanup by hand but in the current implementation this would leave > the ipaddr-alias configured on the interface. >=20 > I think I already mentioned once that I don't like this interface and > ipaddr. configuration feature in rc.d/jail at all. >=20 > Anyway, the quick fix is trivial and should be included in 6.2. > Otherwise we have a possible DoS security problem with the new release.= >=20 > --- rc.d/jail.old Fri Dec 22 03:09:27 2006 > +++ rc.d/jail Fri Dec 22 03:10:07 2006 > @@ -228,8 +228,8 @@ > echo ${_jail_id} > /var/run/jail_${_jai= l}.id > else > jail_umount_fs > - if [ -n "${jail_interface}" ]; then > - ifconfig ${jail_interface} > -alias ${jail_ip} > + if [ -n "${_interface}" ]; then > + ifconfig ${_interface} -alias $= {_ip} > fi > echo " cannot start jail \"${_jail}\": = " > tail +2 ${_tmp_jail} Patch looks good. Would be indeed nice to have this fixed before 6.2R is released. --=20 Florent Thoumie flz@FreeBSD.org FreeBSD Committer --------------enig13864EA1DF5336FB601E633F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFktW7MxEkbVFH3PQRAjzeAJ99e+YvVKp2i38KzabbC5NI2y70QQCggrRK SL2FMc2jk0avyQ5BIvOCrxc= =m+TF -----END PGP SIGNATURE----- --------------enig13864EA1DF5336FB601E633F--