From owner-freebsd-stable@FreeBSD.ORG Mon Feb 17 18:39:37 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 56390665 for ; Mon, 17 Feb 2014 18:39:37 +0000 (UTC) Received: from spectrum.skysmurf.nl (spectrum.skysmurf.nl [82.95.125.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CD0BA12F4 for ; Mon, 17 Feb 2014 18:39:36 +0000 (UTC) Received: from spectrum.skysmurf.nl (mail.skysmurf.nl [192.168.42.4] (may be forged)) by spectrum.skysmurf.nl (8.14.7/8.14.7) with SMTP id s1HIdRwl007024; Mon, 17 Feb 2014 19:39:27 +0100 (CET) (envelope-from freebsd@skysmurf.nl) Received: by spectrum.skysmurf.nl (sSMTP sendmail emulation); Mon, 17 Feb 2014 19:39:27 +0100 Date: Mon, 17 Feb 2014 19:39:27 +0100 From: "A.J. 'Fonz' van Werven" To: Phil Regnauld Subject: Re: Should I use jail? Message-ID: <20140217183927.GA6886@spectrum.skysmurf.nl> References: <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl> <20140216151257.GP71201@macbook.bluepipe.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <20140216151257.GP71201@macbook.bluepipe.net> X-PGP-Key: http://www.skysmurf.nl/~fonz/fonz_pubkey.asc User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 18:39:37 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Phil Regnauld wrote: >>> For what it's worth I never, ever run any service without running it in >>> a jail. >>=20 >> Smartass comment: if that includes ntpd or a master NIS server, would >> you care to divulge how you did that? >=20 > I don't know why the NIS server would be any different, The problem with NIS (and by extension NFS) is rpcbind, which AFAIK cannot run in a jail. For jails that are NIS clients(*) I currently have to use a workaround I found on the Forums, which is to add service rpcbind forcestop to /etc/rc.d/ypbind because otherwise (yp)chsh, (yp)chfn and (yp)passwd won't work from the jails. > but for services that require access to devices (say, ntpd talking to a > GPS over USB), you define new devfs rules to unhide the requisite /dev/ > entries for the jails running the service. I do this for OpenDNSSEC > using a smartcard reader. >=20 > Here's a devfs.conf entry to make it possible to access BPF (for tcpdump > among other things - but beware of giving access to raw devices this > way) and ugen* devices under /dev/ >=20 > [devfsrules_jail_bpf=3D5] > add include $devfsrules_jail > add path 'bpf*' unhide > add path 'ugen0.*' unhide =20 What do you know: what was intended as a smartass comment that I almost refrained from sending in the first place actually elicited a useful response. Thank you very much for the suggestion, I'll look into that. The main question would be which /dev entry provides (write) access to the system clock, if that even goes through a /dev entry to begin with. A quick look through /usr/src/sys didn't turn up anything. AvW Ad (*): I use NIS to share uids/gids between jails (and the host). --=20 I'm not completely useless, I can be used as a bad example. --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTAldfAAoJEAfP7gJTaCe8DKwP/jN3J0ZbJR9P9jt4YWjuOCd4 vLfs7K2qNjJobf1iQ8jSLC0mTfbzdXt0U1KMssU/9jpwZCCyQ/CgpkFeGEyDcnuA MFyUcffcVLjUoMIbPcaiEnRcP3eV1qKiMbfHRqjmCWS9zH8dcxS1gKbjyV6F7cKY dRgsIKBIkq5FDPtzEUc7wM8RWyV/S7Z8BPoGvT7hvWra+OBBk1CX6nQQR7h0PHo6 dxzpcXk+liVLimLUNCXXV+Wq66ADiBZhqxZ+0s885XqW7fahRa7sMEXIQWHmFgVa 3ZuJMVlfP48X7oPa26MyPfyyslCEF+8nreDJR1TcEr/GGrfzqSrg5l/xdmlo70B3 ITgyN6Pf3Fc60lppO4AQ7pxHR48e1gQOkCUHQ4OrZ2pP8Qtk/YhsiD2D8nnIUwDS 0enYBa7361tWE/6YBah9yra8M43FoKiVwtKCYeM+dTiwnhz6Z0b7xrbjhNdVjq7q TTfiC5MHJAWLZSxj/5Nx56MnWiPVjken39upNnbqcSuj1uUrz1oXLvh2wPrwVejd du98ABLM78Lh8pj2mq8xDFk3L2fkdR4LkSbRzGog2Is4z+N49+uwe3KcdW3I+8aw ZJ2xHlLlCKCyH8outqBWHj6+6KnBNkla1tgWKAdiSyCNWI7bZ4kEmsl/o5OMNN14 LK1vjj1Upe+/sU6O92pQ =bxGB -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5--