From owner-freebsd-stable@FreeBSD.ORG Mon Feb 17 18:53:49 2014 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 56E56C17 for ; Mon, 17 Feb 2014 18:53:49 +0000 (UTC) Received: from mho-01-ewr.mailhop.org (mho-03-ewr.mailhop.org [204.13.248.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 28FD414C7 for ; Mon, 17 Feb 2014 18:53:48 +0000 (UTC) Received: from c-24-8-230-52.hsd1.co.comcast.net ([24.8.230.52] helo=damnhippie.dyndns.org) by mho-01-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1WFTK7-0000I2-Fb; Mon, 17 Feb 2014 18:53:47 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id s1HIrgnT027760; Mon, 17 Feb 2014 11:53:42 -0700 (MST) (envelope-from ian@FreeBSD.org) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 24.8.230.52 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX199BKO4glEZyVZhPTFcMpJ+ Subject: Re: Should I use jail? From: Ian Lepore To: "A.J. 'Fonz' van Werven" In-Reply-To: <20140217183927.GA6886@spectrum.skysmurf.nl> References: <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl> <20140216151257.GP71201@macbook.bluepipe.net> <20140217183927.GA6886@spectrum.skysmurf.nl> Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Feb 2014 11:53:42 -0700 Message-ID: <1392663222.1145.19.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-stable@FreeBSD.org, Phil Regnauld X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 18:53:49 -0000 On Mon, 2014-02-17 at 19:39 +0100, A.J. 'Fonz' van Werven wrote: > Phil Regnauld wrote: > > >>> For what it's worth I never, ever run any service without running it in > >>> a jail. > >> > >> Smartass comment: if that includes ntpd or a master NIS server, would > >> you care to divulge how you did that? > > > > I don't know why the NIS server would be any different, > > The problem with NIS (and by extension NFS) is rpcbind, which AFAIK cannot > run in a jail. > > For jails that are NIS clients(*) I currently have to use a workaround I > found on the Forums, which is to add > > service rpcbind forcestop > > to /etc/rc.d/ypbind because otherwise (yp)chsh, (yp)chfn and (yp)passwd > won't work from the jails. > > > but for services that require access to devices (say, ntpd talking to a > > GPS over USB), you define new devfs rules to unhide the requisite /dev/ > > entries for the jails running the service. I do this for OpenDNSSEC > > using a smartcard reader. > > > > Here's a devfs.conf entry to make it possible to access BPF (for tcpdump > > among other things - but beware of giving access to raw devices this > > way) and ugen* devices under /dev/ > > > > [devfsrules_jail_bpf=5] > > add include $devfsrules_jail > > add path 'bpf*' unhide > > add path 'ugen0.*' unhide > > What do you know: what was intended as a smartass comment that I almost > refrained from sending in the first place actually elicited a useful > response. Thank you very much for the suggestion, I'll look into that. > > The main question would be which /dev entry provides (write) access to the > system clock, if that even goes through a /dev entry to begin with. A > quick look through /usr/src/sys didn't turn up anything. ntpd (or anything else running as root) steers the system clock using the ntp_adjtime(2), defined in sys/timex.h. There are no devices involved unless ntpd is also processing a PPS signal, in which case it uses /dev/pps#. -- Ian