Date: Fri, 23 Aug 2013 11:35:39 -0500 (CDT) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Josh Beard" <josh@signalboxes.net> Cc: freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) Message-ID: <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> In-Reply-To: <CAHDrHSuupiWJxAw3arOas1UNCSm_5iqqxn2_eCt84KFiE8wwVA@mail.gmail.com> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <CAHDrHSuupiWJxAw3arOas1UNCSm_5iqqxn2_eCt84KFiE8wwVA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, August 23, 2013 11:31 am, Josh Beard wrote:
> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. <miguelmclara@gmail.com> wrote:
>
>>
>> On 08/23/13 16:34, Mike C. wrote:
>> > Yes I know about
>> >
>> >> security.jail.allow_raw_sockets=1
>> >
>> > Like I said I can do this with "root" just not with the user nagios, I
>> guess If raw_sockets was set to 0 on the host, I would have problems
>> with
>> any user!
>> >
>> >
>> >
>> > ----
>> > Putting this in /etc/rc.conf:
>> >
>> > jail_${JailName}_parameters="allow.raw_sockets=1"
>> >
>> > does not allow every jail access to raw sockets. There is an example
>> in
>> > /etc/defaults/rc.conf.
>> >
>> >
>>
>> [EDIT: better englih... sorry typing on smartphones sucks]
>>
>> Now this is something I wasn't aware of... very nice and thanks for the
>> tip on ez-jails, I'm indeed using ez-jails!
>>
>> Is there any other setting that would forbid non root users to use raw
>> sockets?
>>
>> Thanks
>>
>>
>>
>>
> Mike,
>
> Doesn't sound to me like an issue with the jail's configuration, but I'm
> no
> expert.
>
> I'm running NRPE on many jails without issue there and without any special
> jail configuration.
>
> Are you getting "Operation not permitted" output from the "check_http"
> plugin on the local system or over something like NRPE our through the
> Nagios configurations?
>
> Josh
Also, try to do something simple like ping or traceroute as user nagios
(user for whom check_http fails) in that jail, - does that give any error?
Thanks.
Valeri
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21684.128.135.70.2.1377275739.squirrel>