From owner-freebsd-jail@FreeBSD.ORG Sun Aug 12 12:24:37 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1281516A417; Sun, 12 Aug 2007 12:24:37 +0000 (UTC) (envelope-from lists@c0mplx.org) Received: from home.c0mplx.org (home.c0mplx.org [IPv6:2001:14b0:200::1]) by mx1.freebsd.org (Postfix) with ESMTP id B78BF13C478; Sun, 12 Aug 2007 12:24:36 +0000 (UTC) (envelope-from lists@c0mplx.org) Received: from pi by home.c0mplx.org with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1IKCUj-000HxY-P3; Sun, 12 Aug 2007 14:24:33 +0200 Date: Sun, 12 Aug 2007 14:24:33 +0200 From: Kurt Jaeger To: freebsd-stable@freebsd.org Message-ID: <20070812122433.GA68970@home.c0mplx.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Cc: freebsd-jail@freebsd.org, daichi@freebsd.org Subject: Patch for FreeBSD 6.2 fstat(1) to support unionfs (at least a little bit) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Aug 2007 12:24:37 -0000 Hi! fstat(1) from FreeBSD 6.2 can not display information about files which reside in a unionfs[1], as can be seen in this example[2]: USER CMD PID FD MOUNT INUM MODE SZ|DV R/W pi less 31028 root - - ?(unionfs) - pi less 31028 wd - - ?(unionfs) - pi less 31028 jail - - ?(unionfs) - pi less 31028 text - - ?(unionfs) - pi less 31028 0 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 rw pi less 31028 1 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 rw pi less 31028 2 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 rw pi less 31028 3 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 r pi less 31028 4 - - ?(unionfs) - This patch[3] fixes it, as can be seen in this other example[4]: USER CMD PID FD MOUNT INUM MODE SZ|DV R/W pi less 31028 root /vserv/vserv3.nepustil.net 4804764 drwxrwxr-x 512 r unionupper /usr pi less 31028 wd /vserv/vserv3.nepustil.net 5042109 drwx------ 1536 r unionupper /usr pi less 31028 jail /vserv/vserv3.nepustil.net 4804764 drwxrwxr-x 512 r unionupper /usr pi less 31028 text /vserv/vserv3.nepustil.net 5159119 -r-xr-xr-x 109300 r unionlower /usr pi less 31028 0 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 rw pi less 31028 1 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 rw pi less 31028 2 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 rw pi less 31028 3 /vserv/vserv3.nepustil.net/dev 109 crw--w---- ttyp5 r pi less 31028 4 /vserv/vserv3.nepustil.net 5042526 -rw------- 702 r unionupper /usr The filesytems involved: f6# df [...] Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad0s1e 43938150 20634736 19788362 51% /usr [...] :/vserv/template/stage2 87876300 64572886 19788362 77% /vserv/vserv3.nepustil.net devfs 1 1 0 100% /vserv/vserv3.nepustil.net/dev [...] were mounted with the following command: /sbin/mount -t unionfs -o noatime,below,copymode=transparent /vserv/template/stage2 /vserv/vserv3.nepustil.net /sbin/mount_devfs devfs /vserv/vserv3.nepustil.net How to apply: cd /tmp/ fetch http://c0mplx.org/src/fstat-unionfs-patch/patch-20070812 cd /usr patch < /tmp/patch-20070812 cd /usr/src/usr.bin/fstat/ make install TODO: support other filesystems besides UFS as lower filesystems [1] http://people.freebsd.org/~daichi/unionfs/ [2] http://c0mplx.org/src/fstat-unionfs-patch/before [3] http://c0mplx.org/src/fstat-unionfs-patch/patch-20070812 [4] http://c0mplx.org/src/fstat-unionfs-patch/after See also: http://c0mplx.org/src/fstat-unionfs-patch/ -- pi@c0mplx.org +49 171 3101372 13 years to go ! From owner-freebsd-jail@FreeBSD.ORG Mon Aug 13 14:31:15 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 100CA16A46C for ; Mon, 13 Aug 2007 14:31:15 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [82.208.36.70]) by mx1.freebsd.org (Postfix) with ESMTP id C6A2C13C4D1 for ; Mon, 13 Aug 2007 14:31:14 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 98E7919E02E; Mon, 13 Aug 2007 16:06:19 +0200 (CEST) Received: from [192.168.1.2] (r3a200.net.upc.cz [213.220.192.200]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id 62DA919E023; Mon, 13 Aug 2007 16:06:15 +0200 (CEST) Message-ID: <46C06588.80200@quip.cz> Date: Mon, 13 Aug 2007 16:07:04 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Chris Thunes References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: cdjones@novusordo.net, freebsd-jail@freebsd.org Subject: Re: jtune not showing resource usage X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 14:31:15 -0000 Chris Thunes wrote: > Hey all, > I've been working with the resource limiting patches on a 6.2 installation > and haven't been able to get jtune to show memory usage for jails at all. > > [root@virt1] ~ # jtune -j 15 -i > JID Hostname Memory Used / Limit CPU Shares > 15 jail0.rootbsd.net 0 M / 256 M 0 > > I have the limits enabled in sysctl and really have idea as to why this > wouldn't be displaying correctly. If there is anyone who can point me in the > right direction the help would be greatly appreciated. Hi, I had same question more than month ago, but no answer (2007-06-29). So I think no competent person is subscribed to this list. [I CCed cdjones now = maybe he knows :)] Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Aug 13 22:50:40 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C15216A419 for ; Mon, 13 Aug 2007 22:50:40 +0000 (UTC) (envelope-from cthunes@tqhosting.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id DC50A13C46A for ; Mon, 13 Aug 2007 22:50:39 +0000 (UTC) (envelope-from cthunes@tqhosting.com) Received: by ug-out-1314.google.com with SMTP id o4so34564uge for ; Mon, 13 Aug 2007 15:50:38 -0700 (PDT) Received: by 10.67.93.7 with SMTP id v7mr168092ugl.1187045438175; Mon, 13 Aug 2007 15:50:38 -0700 (PDT) Received: by 10.67.26.5 with HTTP; Mon, 13 Aug 2007 15:50:38 -0700 (PDT) Message-ID: Date: Mon, 13 Aug 2007 18:50:38 -0400 From: "Chris Thunes" To: "Miroslav Lachman" <000.fbsd@quip.cz> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_19013_31806782.1187045438113" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: cdjones@novusordo.net, freebsd-jail@freebsd.org Subject: Re: jtune not showing resource usage - fixed X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 22:50:40 -0000 ------=_Part_19013_31806782.1187045438113 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 8/13/07, Miroslav Lachman <000.fbsd@quip.cz> wrote: > > Chris Thunes wrote: > > Hey all, > > I've been working with the resource limiting patches on a 6.2installation > > and haven't been able to get jtune to show memory usage for jails at > all. > > > > [root@virt1] ~ # jtune -j 15 -i > > JID Hostname Memory Used / Limit CPU Shares > > 15 jail0.rootbsd.net 0 M / 256 M 0 > > > > I have the limits enabled in sysctl and really have idea as to why this > > wouldn't be displaying correctly. If there is anyone who can point me in > the > > right direction the help would be greatly appreciated. > > Hi, > I had same question more than month ago, but no answer (2007-06-29). So > I think no competent person is subscribed to this list. > [I CCed cdjones now = maybe he knows :)] > > Miroslav Lachman > I found the problem and was able to fix it and created a small patch for anyone who needs this fixed. A function called prison_memory in sys/kern/kern_jail.c is called to calculate the memory usage for a given jail but this value is never stored back to the corresponding prison object which is used by jtune to check the memory usage. This patch just drops a few lines in at the end of prison_memory to store this value to the structure. If anyone knows any adverse side effects this would cause please let me know. - Chris ------=_Part_19013_31806782.1187045438113 Content-Type: application/octet-stream; name=jtune_fix-2007-08-13.patch Content-Transfer-Encoding: base64 X-Attachment-Id: f_f5bk680t Content-Disposition: attachment; filename="jtune_fix-2007-08-13.patch" LS0tIHNyYy9zeXMva2Vybi9rZXJuX2phaWwuYyAgICBUdWUgSnVsIDE3IDExOjI3OjUzIDIwMDcK KysrIHNyYy9zeXMva2Vybi9rZXJuX2phaWwuYyAgICBNb24gQXVnIDEzIDEzOjEwOjA0IDIwMDcK QEAgLTU3MCwxMiArNTcwLDYgQEAKICAgICAgICAgICAgICAgIG1lbV91c2VkICs9IHZtc3BhY2Vf cmVzaWRlbnRfY291bnQocC0+cF92bXNwYWNlKTsKICAgICAgICB9CiAgICAgICAgICAgICAgICBt ZW1fdXNlZCAqPSBQQUdFX1NJWkU7Ci0KLSAgICAgICAvLyBIb3BlZnVsbHkgdGhpcyB3b3JrcyA6 KQotICAgICAgIG10eF9sb2NrKCZwci0+cHJfbXR4KTsKLSAgICAgICBwci0+cHJfbWVtX3VzYWdl ID0gbWVtX3VzZWQ7Ci0gICAgICAgbXR4X3VubG9jaygmcHItPnByX210eCk7Ci0KICAgICAgICBy ZXR1cm4gbWVtX3VzZWQ7CiB9CiAK ------=_Part_19013_31806782.1187045438113-- From owner-freebsd-jail@FreeBSD.ORG Wed Aug 15 15:39:22 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFA1716A420 for ; Wed, 15 Aug 2007 15:39:22 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id 7804813C481 for ; Wed, 15 Aug 2007 15:39:22 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id l7FFQp7P029033 for ; Wed, 15 Aug 2007 11:26:51 -0400 (EDT) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by tdream.lly.earlham.edu (Postfix) with ESMTP id 3C8658E275 for ; Wed, 15 Aug 2007 11:27:07 -0400 (EDT) Date: Wed, 15 Aug 2007 11:27:07 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@tdream.lly.earlham.edu To: freebsd-jail@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: security bug or operator "misunderstanding", and a query X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 15:39:22 -0000 Hey all, I've been messing around with, and liking, jails. I had a weird thing happen tho' that I cannot explain, and seems to violate the concept of jail. I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: jail_list="ntpjail" jail_ntpjail_rootdir=/usr/local/jails/jail1 jail_ntpjail_hostname=ntpjail.earlham.edu jail_ntpjail_ip=192.168.1.59 jail_ntpjail_interface=bge1 jail_ntpjail_devfs_enable="YES" The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules, and no tweaks are in sysctl.conf. When I have the parent/jail up and running, ntpd not running on the parent, if I kick off ntpd in the jail, it actually kicks off ntpd in the parent then barks with "address already in use". Now, I understand the "address already in use" part, but how can starting something in the jail affect anything on the parent? I thought the 2 were more separated than that. I'm trying to get to a setup where ntp on the parent sets the system time but doesn't answer any queries, and ntp in the jail answers the time queries. If anybody has any thoughts on whether or not this is even possible(short of recoding part of ntp ;) or possible avenues of investigation, pls let me know. Tnx. -- Randy (schulra@earlham.edu) 765.983.1283 <*> From owner-freebsd-jail@FreeBSD.ORG Wed Aug 15 16:46:41 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B1D916A417 for ; Wed, 15 Aug 2007 16:46:41 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id D296613C428 for ; Wed, 15 Aug 2007 16:46:40 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pitbpa0.priv.collaborativefusion.com (vanquish.pitbpa0.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 15 Aug 2007 12:36:26 -0400 id 00056415.46C32B8A.00017532 Date: Wed, 15 Aug 2007 12:36:26 -0400 From: Bill Moran To: Randy Schultz Message-Id: <20070815123626.61341c12.wmoran@collaborativefusion.com> In-Reply-To: References: Organization: Collaborative Fusion X-Mailer: Sylpheed 2.4.4 (GTK+ 2.10.14; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: security bug or operator "misunderstanding", and a query X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 16:46:41 -0000 In response to Randy Schultz : > Hey all, > > I've been messing around with, and liking, jails. I had a weird thing happen > tho' that I cannot explain, and seems to violate the concept of jail. > > I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor > ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: > > jail_list="ntpjail" > > jail_ntpjail_rootdir=/usr/local/jails/jail1 > jail_ntpjail_hostname=ntpjail.earlham.edu > jail_ntpjail_ip=192.168.1.59 > jail_ntpjail_interface=bge1 > jail_ntpjail_devfs_enable="YES" > > The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules, > and no tweaks are in sysctl.conf. > > When I have the parent/jail up and running, ntpd not running on the parent, if > I kick off ntpd in the jail, it actually kicks off ntpd in the parent then > barks with "address already in use". By design, a jail can not start a process on the host. If you are actually able to demonstrate this behaviour, many would be interested because it would constitute a serious bug. > Now, I understand the "address already > in use" part, but how can starting something in the jail affect anything on > the parent? I thought the 2 were more separated than that. If ntpd on the parent is trying to listen on 192.168.1.59, it will be unable to because the copy in the jail is already using it. The host has access to all of the jail's resources. The jail has access to only the resources that are specifically configured to be allowed. > I'm trying to get to a setup where ntp on the parent sets the system time but > doesn't answer any queries, and ntp in the jail answers the time queries. If > anybody has any thoughts on whether or not this is even possible(short of > recoding part of ntp ;) or possible avenues of investigation, pls let me know. Configure ntpd on the host to use only the host's primary IP and not that of the jail. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. **************************************************************** From owner-freebsd-jail@FreeBSD.ORG Wed Aug 15 17:12:39 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EF6A16A469 for ; Wed, 15 Aug 2007 17:12:39 +0000 (UTC) (envelope-from wolf@k18.ch) Received: from mail.k18.ch (mail.k18.ch [62.2.105.52]) by mx1.freebsd.org (Postfix) with ESMTP id BFBBE13C467 for ; Wed, 15 Aug 2007 17:12:38 +0000 (UTC) (envelope-from wolf@k18.ch) Received: (qmail 42086 invoked from network); 15 Aug 2007 16:46:19 -0000 Received: by simscan 1.2.0 ppid: 42076, pid: 42083, t: 0.0410s scanners: attach: 1.2.0 clamav: 0.91.1/m: Received: from efw.atel.k18.ch (HELO [192.168.10.51]) (Authenticated:wolf@[192.168.10.1]) (envelope-sender ) by mail.k18.ch (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 15 Aug 2007 16:46:19 -0000 Message-ID: <46C32E09.5090908@k18.ch> Date: Wed, 15 Aug 2007 18:47:05 +0200 From: Alain Wolf User-Agent: Thunderbird 2.0.0.5 (X11/20070716) MIME-Version: 1.0 To: Randy Schultz References: In-Reply-To: X-Enigmail-Version: 0.95.3 OpenPGP: id=6CB1BC68 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig74838585BB963E1B07779626" Cc: freebsd-jail@freebsd.org Subject: Re: security bug or operator "misunderstanding", and a query X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 17:12:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig74838585BB963E1B07779626 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Randy Schultz wrote, On 2007-08-15 17:27: > Hey all, > > I've been messing around with, and liking, jails. I had a weird thing > happen > tho' that I cannot explain, and seems to violate the concept of jail. > > I have the AMD64 version of fbsd 6.2 set up, default install(plus a > few minor > ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: > > jail_list=3D"ntpjail" > > jail_ntpjail_rootdir=3D/usr/local/jails/jail1 > jail_ntpjail_hostname=3Dntpjail.earlham.edu > jail_ntpjail_ip=3D192.168.1.59 > jail_ntpjail_interface=3Dbge1 > jail_ntpjail_devfs_enable=3D"YES" > > The /dev dir is whatever is defined for jails in > /etc/defaults/devfs.rules, > and no tweaks are in sysctl.conf. > > When I have the parent/jail up and running, ntpd not running on the > parent, if > I kick off ntpd in the jail, it actually kicks off ntpd in the parent > then > barks with "address already in use". Now, I understand the "address > already > in use" part, but how can starting something in the jail affect > anything on > the parent? I thought the 2 were more separated than that. > > I'm trying to get to a setup where ntp on the parent sets the system > time but > doesn't answer any queries, and ntp in the jail answers the time > queries. If > anybody has any thoughts on whether or not this is even possible(short = of > recoding part of ntp ;) or possible avenues of investigation, pls let > me know. > > Tnx. > > --=20 > Randy (schulra@earlham.edu) 765.983.1283 <*> > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= Hi Randy Usually it is the other way round. The parent system uses up the jails IP address, you have to take steps that it doesn't do that before starting anything in the jail. For TCP/IP on the parent system, a jail IP address is just another IP Interface/address to use. It does not know about jails. AFAIK things are planned for FBSD 7 to have more independent IP interfaces in jails. Hope this helps. --------------enig74838585BB963E1B07779626 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwy4JV5MZZmyxvGgRAtLdAKC+cgu/jy3IFzZtxOalxmcJi1Zx+ACeNkg1 4EIxNVjqu1LGsH1A33SqEqk= =8mhz -----END PGP SIGNATURE----- --------------enig74838585BB963E1B07779626-- From owner-freebsd-jail@FreeBSD.ORG Fri Aug 17 08:07:57 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DBD216A47D for ; Fri, 17 Aug 2007 08:07:57 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 727BF13C4B0 for ; Fri, 17 Aug 2007 08:07:55 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EAF.dip.t-dialin.net [84.165.78.175]) by redbull.bpaserver.net (Postfix) with ESMTP id D936F2E10F; Fri, 17 Aug 2007 10:07:49 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id CF7425B4D80; Fri, 17 Aug 2007 10:07:36 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l7H87arC032767; Fri, 17 Aug 2007 10:07:36 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 17 Aug 2007 10:07:36 +0200 Message-ID: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 17 Aug 2007 10:07:36 +0200 From: Alexander Leidinger To: mal content References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> In-Reply-To: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-12.823, required 8, BAYES_00 -15.00, BR_SPAMMER_URI 2.00, RDNS_DYNAMIC 0.10, TW_EV 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jailed X applications X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 08:07:57 -0000 Quoting mal content (from Fri, 17 Aug =20 2007 06:10:39 +0100): This is better suited for freebsd-jail@ (CCed), please remove =20 freebsd-security@ on reply to move the discussion there. > Has anyone here ever successfully set up a jail for X apps, connecting > to an external X server? I'm trying an experimental sandbox setup here. I have my X server itself in a jail (needs a kernel patch and some =20 devfs rules), and in the past connected to a jail and started a X11 =20 programm there... IIRC. > I have a jail running on an aliased IP on my local machine and X > programs connect out of the jail to my local X server via an SSH > tunneled TCP connection. All other packets to and from the jail are > denied by the packet filter. The trouble I am having is that many > applications (all X apps so far and a few of the SSH tools) try to open > and read from /dev/tty, which clearly isn't going to happen: ssh uses a tty (pty?), but normally you have some in a jail. How do =20 you start the jail? There should be devfs mounted in the jail. Bye, Alexander. --=20 "How do I love thee? My accumulator overflows." http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Fri Aug 17 12:06:32 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA19116A419 for ; Fri, 17 Aug 2007 12:06:32 +0000 (UTC) (envelope-from info@plot.uz) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 429F813C494 for ; Fri, 17 Aug 2007 12:06:32 +0000 (UTC) (envelope-from info@plot.uz) Received: by ug-out-1314.google.com with SMTP id o4so376632uge for ; Fri, 17 Aug 2007 05:06:31 -0700 (PDT) Received: by 10.67.118.20 with SMTP id v20mr2928458ugm.1187350623060; Fri, 17 Aug 2007 04:37:03 -0700 (PDT) Received: from plot.uz ( [83.221.183.87]) by mx.google.com with ESMTPS id 34sm464112nfu.2007.08.17.04.36.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 17 Aug 2007 04:37:02 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000004589.msg for ; Fri, 17 Aug 2007 16:36:27 +0500 Delivered-To: aleksey@plot.uz Received: by 10.100.154.8 with SMTP id b8cs590971ane; Fri, 17 Aug 2007 04:32:11 -0700 (PDT) Received: by 10.114.169.2 with SMTP id r2mr2402374wae.1187350331045; Fri, 17 Aug 2007 04:32:11 -0700 (PDT) Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by mx.google.com with ESMTP id j6si2912430wah.2007.08.17.04.32.10; Fri, 17 Aug 2007 04:32:11 -0700 (PDT) Received-SPF: pass (google.com: domain of owner-freebsd-security@freebsd.org designates 69.147.83.53 as permitted sender) client-ip=69.147.83.53; Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 479DF32602; Fri, 17 Aug 2007 11:30:59 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 81C5A16A4C2; Fri, 17 Aug 2007 11:30:58 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05DEB16A417 for ; Fri, 17 Aug 2007 08:26:34 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id B641413C458 for ; Fri, 17 Aug 2007 08:26:33 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EAF.dip.t-dialin.net [84.165.78.175]) by redbull.bpaserver.net (Postfix) with ESMTP id D936F2E10F; Fri, 17 Aug 2007 10:07:49 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id CF7425B4D80; Fri, 17 Aug 2007 10:07:36 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l7H87arC032767; Fri, 17 Aug 2007 10:07:36 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 17 Aug 2007 10:07:36 +0200 Message-ID: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 17 Aug 2007 10:07:36 +0200 To: mal content References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> In-Reply-To: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-12.823, required 8, BAYES_00 -15.00, BR_SPAMMER_URI 2.00, RDNS_DYNAMIC 0.10, TW_EV 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Mailman-Approved-At: Fri, 17 Aug 2007 11:23:31 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Errors-To: owner-freebsd-security@freebsd.org X-Return-Path: owner-freebsd-security@freebsd.org X-Envelope-From: owner-freebsd-security@freebsd.org X-MDaemon-Deliver-To: freebsd-jail@freebsd.org X-Spam-Processed: plot.uz, Fri, 17 Aug 2007 16:36:27 +0500 From: Alexander Leidinger Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jailed X applications X-BeenThere: freebsd-jail@freebsd.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 12:06:33 -0000 Quoting mal content (from Fri, 17 Aug =20 2007 06:10:39 +0100): This is better suited for freebsd-jail@ (CCed), please remove =20 freebsd-security@ on reply to move the discussion there. > Has anyone here ever successfully set up a jail for X apps, connecting > to an external X server? I'm trying an experimental sandbox setup here. I have my X server itself in a jail (needs a kernel patch and some =20 devfs rules), and in the past connected to a jail and started a X11 =20 programm there... IIRC. > I have a jail running on an aliased IP on my local machine and X > programs connect out of the jail to my local X server via an SSH > tunneled TCP connection. All other packets to and from the jail are > denied by the packet filter. The trouble I am having is that many > applications (all X apps so far and a few of the SSH tools) try to open > and read from /dev/tty, which clearly isn't going to happen: ssh uses a tty (pty?), but normally you have some in a jail. How do =20 you start the jail? There should be devfs mounted in the jail. Bye, Alexander. --=20 "How do I love thee? My accumulator overflows." http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Fri Aug 17 16:24:50 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5DFD16A419 for ; Fri, 17 Aug 2007 16:24:50 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id 81D8213C45A for ; Fri, 17 Aug 2007 16:24:50 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: by wr-out-0506.google.com with SMTP id 70so409295wra for ; Fri, 17 Aug 2007 09:24:49 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=umjjPLNlxEnYLLtr71VpngbkFFOlioGCUW2MhdSm66cKMQcZ+OzXW33EcLAEWl7XQW/tJ+YmDr17490COqPkbJitDzWyh32WZVjqKraupwR6vTTn/s0OR+iw577tB/J5fuYbkFy6a/Ma/n1uNDMlDXFmMEdqewhr0H6xz4ikdG4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oX2w+CsSve5Oo5+PstxoP/i18xbaEALkSfTPAR/ghs6GIAknvQOsNnihS2AjsKkIux+UuijU6dHz1ugEfZzC6DTCLf9QLOoHXFVjIabKuMG1ibA6xgSajbTcJuD/UTcxuka7/exnGyWoyF0SLsAihq6HqdZ0AoI5bfSkBzhrqow= Received: by 10.90.99.20 with SMTP id w20mr4701373agb.1187366400835; Fri, 17 Aug 2007 09:00:00 -0700 (PDT) Received: by 10.90.51.1 with HTTP; Fri, 17 Aug 2007 09:00:00 -0700 (PDT) Message-ID: <8e96a0b90708170900u7d40165es18ac058877236a89@mail.gmail.com> Date: Fri, 17 Aug 2007 17:00:00 +0100 From: "mal content" To: "Alexander Leidinger" In-Reply-To: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> Cc: freebsd-jail@freebsd.org Subject: Re: Jailed X applications X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 16:24:50 -0000 On 17/08/07, Alexander Leidinger wrote: > Quoting mal content (from Fri, 17 Aug > 2007 06:10:39 +0100): > > This is better suited for freebsd-jail@ (CCed), please remove > freebsd-security@ on reply to move the discussion there. > Gotcha. > > Has anyone here ever successfully set up a jail for X apps, connecting > > to an external X server? I'm trying an experimental sandbox setup here. > > I have my X server itself in a jail (needs a kernel patch and some > devfs rules), and in the past connected to a jail and started a X11 > programm there... IIRC. I think you may misunderstand me. In this setup, my X server is actually running on my host, outside of any jail. I intend for programs running inside the jail to connect to the X server with TCP/IP: ssh -N -L 6000:hostip:6000 x@hostip & xterm -display 127.0.0.1:6000 The intention is to also place some sort of custom X proxy before the actual server, to do inspection on the protocol before it is passed to the real server. This is for later, however. > > ssh uses a tty (pty?), but normally you have some in a jail. How do > you start the jail? There should be devfs mounted in the jail. > I'm using a jail created with ezjail from ports. The jail has both a devfs and fdescfs mounted inside (it uses the standard jail devfs rules). The ezjail documentation suggests that it uses the standard /etc/rc.d/jail script to start jails, a quick look at the source seems to confirm it. I'm not entirely sure why programs are attempting to read directly from /dev/tty. I have not changed any settings from the defaults. ssh and ssh-keygen would both attempt to open /dev/tty when prompting for passwords. I fixed this by disabling PasswordAuthentication in /etc/ssh/ssh_config and by specifying passphrases to ssh-keygen on the command line (a bad idea, but I'm the only user on this machine anyway). thanks, MC From owner-freebsd-jail@FreeBSD.ORG Fri Aug 17 22:28:25 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A644716A419 for ; Fri, 17 Aug 2007 22:28:25 +0000 (UTC) (envelope-from idiotbg@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id 2753413C465 for ; Fri, 17 Aug 2007 22:28:24 +0000 (UTC) (envelope-from idiotbg@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so414721nfb for ; Fri, 17 Aug 2007 15:28:24 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=aktwI/mTN8pPyFKf0orGYfy1tnZXWbEWhjLKDb0u9sKAA4Ey8vDPGTRgiwWjuEe6ucdX8DHGmfe+g8Cxn0feTGaFhExGtGIOFphpXqlp+lnwIYBmNQW45JtT0U2F+oTWaeRz8Rar2BmfnNofCfKHVq9yyA1Wa1kaojUkMd6hZys= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=tAQn8AWdzYhoJXKy1ieYpPd89pP9EH4LOkvd7SYKnDGNgJtC0TmVz6cXWGQtN14KTAOlNMiJ84zMBkK8IxuThh/s0pGDxoZjuEu0xGwnOvShl3EVuMN1F7T/PlRV4OWZmXUgJbgSy6CagmyzoE9TY9hhXUkKGcdwBfPvJXjTpUg= Received: by 10.86.28.5 with SMTP id b5mr2441461fgb.1187387964733; Fri, 17 Aug 2007 14:59:24 -0700 (PDT) Received: from 108-157-80-80.trakia.net ( [80.80.157.27]) by mx.google.com with ESMTPS id m1sm4697356fke.2007.08.17.14.59.22 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 17 Aug 2007 14:59:23 -0700 (PDT) From: Momchil Ivanov To: freebsd-jail@freebsd.org Date: Fri, 17 Aug 2007 23:59:18 +0200 User-Agent: KMail/1.9.7 References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> In-Reply-To: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4272434.POSbmMfivQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708172359.23268.idiotbg@gmail.com> Cc: Alexander Leidinger , mal content Subject: Re: Jailed X applications X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 22:28:25 -0000 --nextPart4272434.POSbmMfivQ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline =D0=9D=D0=B0 Friday 17 August 2007 10:07:36 Alexander Leidinger =D0=BD=D0= =B0=D0=BF=D0=B8=D1=81=D0=B0: > Quoting mal content (from Fri, 17 Aug > 2007 06:10:39 +0100): > > This is better suited for freebsd-jail@ (CCed), please remove > freebsd-security@ on reply to move the discussion there. > > > Has anyone here ever successfully set up a jail for X apps, connecting > > to an external X server? I'm trying an experimental sandbox setup here. > > I have my X server itself in a jail (needs a kernel patch and some > devfs rules), and in the past connected to a jail and started a X11 > programm there... IIRC. I used to connect via ssh to a jail on a remote machine and run X11 apps fr= om=20 there (opera, firefox......) because my computer was too slow back then and= =20 used it just to draw the windows. The machine with the jail was running 6.x= =20 and I still have the jail there, just don`t use it any more. I did not have= =20 any issues with this setup. > > > I have a jail running on an aliased IP on my local machine and X > > programs connect out of the jail to my local X server via an SSH > > tunneled TCP connection. All other packets to and from the jail are > > denied by the packet filter. The trouble I am having is that many > > applications (all X apps so far and a few of the SSH tools) try to open > > and read from /dev/tty, which clearly isn't going to happen: > > ssh uses a tty (pty?), but normally you have some in a jail. How do > you start the jail? There should be devfs mounted in the jail. > > Bye, > Alexander. =2D-=20 PGP KeyID: 0x3118168B Keyserver: pgp.mit.edu Key fingerprint BB50 2983 0714 36DC D02E =C2=A0158A E03D 56DA 3118 168B =20 --nextPart4272434.POSbmMfivQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBGxho34D1W2jEYFosRAoxyAJ9D/CU2CzR+koZm7KTWrTugJ+2cQgCcCA69 7o+b7BQ1MmbJWMxUVf6RFg8= =Et7z -----END PGP SIGNATURE----- --nextPart4272434.POSbmMfivQ-- From owner-freebsd-jail@FreeBSD.ORG Sat Aug 18 22:07:59 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FF1B16A419 for ; Sat, 18 Aug 2007 22:07:59 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id 1C33E13C458 for ; Sat, 18 Aug 2007 22:07:58 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id l7IM7spr000673 for ; Sat, 18 Aug 2007 18:07:56 -0400 (EDT) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by tdream.lly.earlham.edu (Postfix) with ESMTP id 1A67E8E275 for ; Sat, 18 Aug 2007 18:07:49 -0400 (EDT) Date: Sat, 18 Aug 2007 18:07:49 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@tdream.lly.earlham.edu To: freebsd-jail@freebsd.org In-Reply-To: <20070815123626.61341c12.wmoran@collaborativefusion.com> Message-ID: References: <20070815123626.61341c12.wmoran@collaborativefusion.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: security bug or operator "misunderstanding", and a query X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 22:07:59 -0000 On Wed, 15 Aug 2007, Bill Moran spaketh thusly: -}In response to Randy Schultz : -} -}> Hey all, -}> -}> I've been messing around with, and liking, jails. I had a weird thing happen -}> tho' that I cannot explain, and seems to violate the concept of jail. -}> -}> I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor -}> ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: -}> -}> jail_list="ntpjail" -}> -}> jail_ntpjail_rootdir=/usr/local/jails/jail1 -}> jail_ntpjail_hostname=ntpjail.earlham.edu -}> jail_ntpjail_ip=192.168.1.59 -}> jail_ntpjail_interface=bge1 -}> jail_ntpjail_devfs_enable="YES" -}> -}> The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules, -}> and no tweaks are in sysctl.conf. -}> -}> When I have the parent/jail up and running, ntpd not running on the parent, if -}> I kick off ntpd in the jail, it actually kicks off ntpd in the parent then -}> barks with "address already in use". -} -}By design, a jail can not start a process on the host. If you are actually -}able to demonstrate this behaviour, many would be interested because it -}would constitute a serious bug. Yup, you're right. Today I took some time to more slowly go through the steps. What I missed before was the "J" in the state field of the ps command, signifying the jailed process. False alarm. Sorry 'bout that. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around.