From owner-freebsd-jail@FreeBSD.ORG Sun Jul 29 10:54:26 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB11F16A418; Sun, 29 Jul 2007 10:54:26 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 6F09313C442; Sun, 29 Jul 2007 10:54:26 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A56C6C.dip.t-dialin.net [84.165.108.108]) by redbull.bpaserver.net (Postfix) with ESMTP id 83C1A2E14F; Sun, 29 Jul 2007 12:54:18 +0200 (CEST) Received: from deskjail (deskjail.Leidinger.net [192.168.1.109]) by outgoing.leidinger.net (Postfix) with ESMTP id BFC055B4D87; Sun, 29 Jul 2007 12:52:05 +0200 (CEST) Date: Sun, 29 Jul 2007 12:56:18 +0200 From: Alexander Leidinger To: albinootje Message-ID: <20070729125618.4692d7b1@deskjail> In-Reply-To: <46AB751C.6080603@gmail.com> References: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> <20070728152952.zb7455nq4kkwwg0w@webmail.leidinger.net> <46AB751C.6080603@gmail.com> X-Mailer: Claws Mail 2.10.0 (GTK+ 2.10.14; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.9, required 8, BAYES_00 -15.00, DKIM_POLICY_SIGNSOME 0.00, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org, Ernst de Haan Subject: Re: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2007 10:54:26 -0000 Quoting albinootje (Sat, 28 Jul 2007 18:55:56 +0200): > Alexander Leidinger wrote: > > > I have everything in 192.168.x.y on the NIC interface. So there's the > > possibility to connect to a jail from a different system on the same > > net. But as sendmail doesn't accept connections from somewhere else, > > only ssh and the service of this jail is accessible. I would be > > surprised if postfix is not able to bind to 127.0.0.x. > > personally i remove sendmail (and exim) wherever i can and replace it > with postfix, i really like syntax and simplicity of a postfix install and > configuration I don't speak sendmail.cf, but I don't have any problem with configuring sendmail with the macros. So this is not an issue for me. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-jail@FreeBSD.ORG Sun Jul 29 19:21:09 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0774C16A417 for ; Sun, 29 Jul 2007 19:21:09 +0000 (UTC) (envelope-from phoffman@proper.com) Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by mx1.freebsd.org (Postfix) with ESMTP id BE0A813C457 for ; Sun, 29 Jul 2007 19:21:08 +0000 (UTC) (envelope-from phoffman@proper.com) Received: from [10.20.30.108] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l6TIvmhH013175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 29 Jul 2007 11:57:49 -0700 (MST) (envelope-from phoffman@proper.com) Mime-Version: 1.0 Message-Id: Date: Sun, 29 Jul 2007 11:57:45 -0700 To: freebsd-jail@freebsd.org From: Paul Hoffman Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: What to put in devfs for a typical jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2007 19:21:09 -0000 Greetings. I want to set up a jail for a web server. It only needs to access the things a normal system would (its own disk space, the network controller, the keyboard, and so on). I need to be SSHing into the jailed system to control it. The manpage for jail says: NOTE: It is important that only appropriate device nodes in devfs be exposed to a jail; access to disk devices in the jail may permit pro- cesses in the jail to bypass the jail sandboxing by modifying files out- side of the jail. See devfs(8) for information on how to use devfs rules to limit access to entries in the per-jail devfs. What should I do for /etc/devfs.rules on the host? What should I be excluding? From owner-freebsd-jail@FreeBSD.ORG Sun Jul 29 21:16:20 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8422816A421 for ; Sun, 29 Jul 2007 21:16:20 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by mx1.freebsd.org (Postfix) with ESMTP id 41A4513C48A for ; Sun, 29 Jul 2007 21:16:20 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so1129017wxd for ; Sun, 29 Jul 2007 14:16:19 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Xq42pXVrYyO/UjJ8BUV30HSj+mDl4RMQGksJe73FpDpaxo4xQO4VwjiYereuORfMDAyZL87binnUwAKEaDkwCTfjX8RfA4dC1xRwYwYm+HY5s9fi9NP10bMM+trGXopnkGlPzsiAXO3tWaots5ahdZrO6rVaBC2L3UTrYPG12Ak= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=sHvIMqtoeoF1JzzOXNgk6OVZ49Z28to39dRSHS35TLSTaFIG60jje//jUys0WNqZhHlP0Y8D0Wdg5VdKBQzghjH0oQTdEhBXUVTKxBXavNH82FZ1Zcg9jzP0dVc7coJKqPvOqKep8WW4i5p+eRvbBfWqKfBjQd+y4nexXuodMP4= Received: by 10.70.45.10 with SMTP id s10mr8884514wxs.1185743779559; Sun, 29 Jul 2007 14:16:19 -0700 (PDT) Received: from ?192.168.0.120? ( [217.19.30.147]) by mx.google.com with ESMTPS id i13sm1792020wxd.2007.07.29.14.16.14 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 29 Jul 2007 14:16:16 -0700 (PDT) Message-ID: <46AD0395.2020505@gmail.com> Date: Sun, 29 Jul 2007 23:16:05 +0200 From: albinootje User-Agent: Thunderbird 2.0.0.5 (X11/20070716) MIME-Version: 1.0 To: Paul Hoffman , freebsd-jail@FreeBSD.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: What to put in devfs for a typical jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2007 21:16:20 -0000 Paul Hoffman wrote: > Greetings. I want to set up a jail for a web server. It only needs to > access the things a normal system would (its own disk space, the network > controller, the keyboard, and so on). I need to be SSHing into the > jailed system to control it. # a piece from /etc/rc.conf from the host as example here : jail_enable="YES" jail_socket_unixiproute_only="YES" jail_sysvipc_allow="NO" jail_list="assp" # assp-jail # jail_assp_rootdir="/usr/jails/assp" jail_assp_hostname="assp.mydomain.org" jail_assp_ip="192.168.111.111" jail_assp_exec="/bin/sh /etc/rc" jail_assp_devfs_enable="YES" jail_assp_devfs_ruleset="devfsrules_jail" # ^^^^^^^^^^^^^^^^^^^^ jail_assp_interface=rl0 # by using this approach ( including --> jail_assp_devfs_ruleset="devfsrules_jail") the jail itself ends up having a minimal /dev/ while all the software from ports (excluding audio-software perhaps ;] runs fine ls -la /usr/jails/assp/dev/ total 1 dr-xr-xr-x 2 root wheel 512 Jun 27 20:24 fd lrwxr-xr-x 1 root wheel 14 Jun 27 20:24 log -> ../var/run/log crw-rw-rw- 1 root wheel 0, 10 Jul 29 23:11 null crw-rw-rw- 1 root wheel 0, 95 Jul 29 23:07 ptyp0 crw-rw-rw- 1 root wheel 0, 97 Jul 25 22:16 ptyp1 crw-rw-rw- 1 root wheel 0, 101 Jul 8 16:36 ptyp2 crw-rw-rw- 1 root wheel 0, 103 Jul 29 23:13 ptyp3 crw-rw-rw- 1 root wheel 0, 105 Jul 27 15:13 ptyp4 crw-rw-rw- 1 root wheel 0, 107 Jul 1 22:15 ptyp5 crw-rw-rw- 1 root wheel 0, 13 Jun 15 21:40 random lrwxr-xr-x 1 root wheel 4 Jun 27 20:24 stderr -> fd/2 lrwxr-xr-x 1 root wheel 4 Jun 27 20:24 stdin -> fd/0 lrwxr-xr-x 1 root wheel 4 Jun 27 20:24 stdout -> fd/1 crw-rw-rw- 1 root wheel 0, 96 Jul 29 23:13 ttyp0 crw-rw-rw- 1 root wheel 0, 98 Jul 25 22:19 ttyp1 crw-rw-rw- 1 root wheel 0, 102 Jul 29 23:13 ttyp2 crw-rw-rw- 1 root wheel 0, 104 Jul 29 23:13 ttyp3 crw--w---- 1 root tty 0, 106 Jul 27 15:12 ttyp4 crw-rw-rw- 1 root wheel 0, 108 Jul 1 23:11 ttyp5 lrwxr-xr-x 1 root wheel 6 Jun 27 20:24 urandom -> random crw-rw-rw- 1 root wheel 0, 11 Jun 15 19:40 zero From owner-freebsd-jail@FreeBSD.ORG Mon Jul 30 06:18:15 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D1DC16A419 for ; Mon, 30 Jul 2007 06:18:15 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id D1E0E13C442 for ; Mon, 30 Jul 2007 06:18:14 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A567C6.dip.t-dialin.net [84.165.103.198]) by redbull.bpaserver.net (Postfix) with ESMTP id 9E5972E0D9; Mon, 30 Jul 2007 08:18:05 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id D67AF5B58CE; Mon, 30 Jul 2007 08:15:52 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l6U6Fqsj084286; Mon, 30 Jul 2007 08:15:52 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Mon, 30 Jul 2007 08:15:52 +0200 Message-ID: <20070730081552.42dpvl5kgs0cco8o@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Mon, 30 Jul 2007 08:15:52 +0200 From: Alexander Leidinger To: Paul Hoffman References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-13.427, required 8, BAYES_00 -15.00, DKIM_POLICY_SIGNSOME 0.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, TW_EV 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@freebsd.org Subject: Re: What to put in devfs for a typical jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2007 06:18:15 -0000 Quoting Paul Hoffman (from Sun, 29 Jul 2007 =20 11:57:45 -0700): > Greetings. I want to set up a jail for a web server. It only needs to > access the things a normal system would (its own disk space, the > network controller, the keyboard, and so on). I need to be SSHing into > the jailed system to control it. > > The manpage for jail says: > NOTE: It is important that only appropriate device nodes in devfs be > exposed to a jail; access to disk devices in the jail may permit pro- > cesses in the jail to bypass the jail sandboxing by modifying files o= ut- > side of the jail. See devfs(8) for information on how to use =20 > devfs rules > to limit access to entries in the per-jail devfs. > > > What should I do for /etc/devfs.rules on the host? What should I be =20 > excluding? Additionally to what you already got as a response: I doubt you need =20 access to the keyboard in the jail. Access to the keyboeard makes only =20 sense if you also have a way to give access to a display. X.org will =20 not run in a jail without a kernel patch, and I haven't tested if you =20 can give access to a virtual console in a jail (if I listen to my =20 belly, I have my doubts that it is possible without some patches). Some predefined rules for devfs are in /etc/defaults/devfs.rules. Bye, Alexander. --=20 The best you get is an even break. =09=09-- Franklin Adams http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Fri Aug 3 20:20:13 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64B7116A417 for ; Fri, 3 Aug 2007 20:20:13 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from mail.kuban.ru (mail.kuban.ru [62.183.66.246]) by mx1.freebsd.org (Postfix) with ESMTP id C09BD13C474 for ; Fri, 3 Aug 2007 20:20:12 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bsam.ru ([85.172.12.174]) by mail.kuban.ru (8.9.1/8.9.1) with ESMTP id l73K0KDr086345 for ; Sat, 4 Aug 2007 00:00:30 +0400 (MSD) Received: (from bsam@localhost) by bsam.ru (8.14.1/8.14.1/Submit) id l73K0Z72001458; Sat, 4 Aug 2007 00:00:35 +0400 (MSD) (envelope-from bsam@ipt.ru) X-Authentication-Warning: bsam.ru: bsam set sender to bsam@ipt.ru using -f To: freebsd-jail@freebsd.org From: Boris Samorodov Date: Sat, 04 Aug 2007 00:00:35 +0400 Message-ID: <45722684@bsam.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Is it safe to change compat.linux.osrelease inside a jail? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 20:20:13 -0000 Hi! I'm porting some Fedora Core 6 applications. Since the FreeBSD package of a FC6 port should be build with non-default compat.linux.osrelease and pointyhat is using jails to create packages, here is the question at the Subject. I know it _may_ be changed (I've tried and succeeded). Can someone say that it's quite OK to do so (without bad effects to jail/host)? Sure I ask about -CURRENT. Thanks! WBR -- bsam