Date: Mon, 17 Feb 2014 19:39:27 +0100 From: "A.J. 'Fonz' van Werven" <freebsd@skysmurf.nl> To: Phil Regnauld <regnauld@x0.dk> Cc: freebsd-stable@freebsd.org Subject: Re: Should I use jail? Message-ID: <20140217183927.GA6886@spectrum.skysmurf.nl> In-Reply-To: <20140216151257.GP71201@macbook.bluepipe.net> References: <CAA_8tFq7JNw0=nqz5ByyfJs8cyEu%2B5z%2Bsry=NESViegUSZBJ0Q@mail.gmail.com> <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl> <20140216151257.GP71201@macbook.bluepipe.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Phil Regnauld wrote: >>> For what it's worth I never, ever run any service without running it in >>> a jail. >>=20 >> Smartass comment: if that includes ntpd or a master NIS server, would >> you care to divulge how you did that? >=20 > I don't know why the NIS server would be any different, The problem with NIS (and by extension NFS) is rpcbind, which AFAIK cannot run in a jail. For jails that are NIS clients(*) I currently have to use a workaround I found on the Forums, which is to add service rpcbind forcestop to /etc/rc.d/ypbind because otherwise (yp)chsh, (yp)chfn and (yp)passwd won't work from the jails. > but for services that require access to devices (say, ntpd talking to a > GPS over USB), you define new devfs rules to unhide the requisite /dev/ > entries for the jails running the service. I do this for OpenDNSSEC > using a smartcard reader. >=20 > Here's a devfs.conf entry to make it possible to access BPF (for tcpdump > among other things - but beware of giving access to raw devices this > way) and ugen* devices under /dev/ >=20 > [devfsrules_jail_bpf=3D5] > add include $devfsrules_jail > add path 'bpf*' unhide > add path 'ugen0.*' unhide =20 What do you know: what was intended as a smartass comment that I almost refrained from sending in the first place actually elicited a useful response. Thank you very much for the suggestion, I'll look into that. The main question would be which /dev entry provides (write) access to the system clock, if that even goes through a /dev entry to begin with. A quick look through /usr/src/sys didn't turn up anything. AvW Ad (*): I use NIS to share uids/gids between jails (and the host). --=20 I'm not completely useless, I can be used as a bad example. --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTAldfAAoJEAfP7gJTaCe8DKwP/jN3J0ZbJR9P9jt4YWjuOCd4 vLfs7K2qNjJobf1iQ8jSLC0mTfbzdXt0U1KMssU/9jpwZCCyQ/CgpkFeGEyDcnuA MFyUcffcVLjUoMIbPcaiEnRcP3eV1qKiMbfHRqjmCWS9zH8dcxS1gKbjyV6F7cKY dRgsIKBIkq5FDPtzEUc7wM8RWyV/S7Z8BPoGvT7hvWra+OBBk1CX6nQQR7h0PHo6 dxzpcXk+liVLimLUNCXXV+Wq66ADiBZhqxZ+0s885XqW7fahRa7sMEXIQWHmFgVa 3ZuJMVlfP48X7oPa26MyPfyyslCEF+8nreDJR1TcEr/GGrfzqSrg5l/xdmlo70B3 ITgyN6Pf3Fc60lppO4AQ7pxHR48e1gQOkCUHQ4OrZ2pP8Qtk/YhsiD2D8nnIUwDS 0enYBa7361tWE/6YBah9yra8M43FoKiVwtKCYeM+dTiwnhz6Z0b7xrbjhNdVjq7q TTfiC5MHJAWLZSxj/5Nx56MnWiPVjken39upNnbqcSuj1uUrz1oXLvh2wPrwVejd du98ABLM78Lh8pj2mq8xDFk3L2fkdR4LkSbRzGog2Is4z+N49+uwe3KcdW3I+8aw ZJ2xHlLlCKCyH8outqBWHj6+6KnBNkla1tgWKAdiSyCNWI7bZ4kEmsl/o5OMNN14 LK1vjj1Upe+/sU6O92pQ =bxGB -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140217183927.GA6886>