From owner-freebsd-jail@FreeBSD.ORG Mon Feb 17 11:06:50 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 65A68D9B for ; Mon, 17 Feb 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 51CF111BF for ; Mon, 17 Feb 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1HB6oYx033096 for ; Mon, 17 Feb 2014 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1HB6n0u033094 for freebsd-jail@FreeBSD.org; Mon, 17 Feb 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Feb 2014 11:06:49 GMT Message-Id: <201402171106.s1HB6n0u033094@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 19 problems total. From owner-freebsd-jail@FreeBSD.ORG Thu Feb 20 00:16:32 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 869B8BD1 for ; Thu, 20 Feb 2014 00:16:32 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 11A8D147B for ; Thu, 20 Feb 2014 00:16:31 +0000 (UTC) Received: from park.js.berklix.net (p5DCBDCC3.dip0.t-ipconnect.de [93.203.220.195]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s1K0Fcr6076652; Thu, 20 Feb 2014 00:15:39 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id s1K0GKcl003486; Thu, 20 Feb 2014 01:16:20 +0100 (CET) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.5/8.14.5) with ESMTP id s1K0FU8p014445; Thu, 20 Feb 2014 01:16:20 +0100 (CET) (envelope-from jhs@berklix.com) Message-Id: <201402200016.s1K0FU8p014445@fire.js.berklix.net> To: freebsd-jail@freebsd.org Subject: immutable flag breaks 9.1 to 9.2 make world in a jail From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Thu, 20 Feb 2014 01:15:30 +0100 Cc: jhs@berklix.com X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Feb 2014 00:16:32 -0000 Hi freebsd-jail@freebsd.org I have a problem with an immutable flag, running make world in a jail, Any ideas please ? The 9.1-RELEASE jail I built on a 9.1-RELEASE laptop, with ports/sysutils/ezjail then I replaced all the shared bits with own local copies of all files within the chroot, it worked fine, & still works fine from 2 prisons, those prisons I meantime have upgraded on 2 different partitions, to 9.2 & 10.0-RELEASE ... but ... Each time I run a make world within the jail (running on a 9.2 prison), the jail world hangs, & I have to login to prison, go root & rescue the jail, though I fail to rescue the world upgrade. The next jail to upgrade is in a prison I'm not root for, It's an operational jail, (built the same way as this test jail) & I won't touch it till I find a solution. Something I'm missing, forgetting, or a real bug perhaps ? Here's an approx. abbrevated transcript of what I've tried. Ideas please ? Jail: cd /usr/src/lib ; make install install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib install: rename: /lib/INS@3Xhe to /lib/libc.so.7: \ Operation not permitted Also fails: chflags -R noschg / chflags noschg /lib/libc.so.7 Prison : chflags noschg /usr1/jail/jstest/lib/libc.so.7 # That still would not allow make world to run in jail, sysctl security.jail.param.allow.chflags=1 Jail: chflags -R noschg / cd /usr/src make world ===> lib/libc (install) install -C -o root -g wheel -m 444 libc.a /usr/lib install -C -o root -g wheel -m 444 libc_p.a /usr/lib install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib install: /lib/libc.so.7: chflags: Operation not permitted *** [_libinstall] Error code 71 Prison: sysctl -a | grep chflag security.jail.param.allow.chflags: 0 security.jail.chflags_allowed: 0 sysctl -d security.jail.param.allow.chflags security.jail.param.allow.chflags: \ Jail may alter system file flags sysctl -d security.jail.chflags_allowed security.jail.chflags_allowed: \ Processes in jail can alter system file flags sysctl security.jail.param.allow.chflags=1 security.jail.param.allow.chflags: 0 -> 0 sysctl security.jail.chflags_allowed=1 security.jail.chflags_allowed: 0 -> 1 sysctl -a | grep chflag security.jail.param.allow.chflags: 0 security.jail.chflags_allowed: 1 sysctl security.jail.param.allow.chflags=1 sysctl security.jail.param.allow.chflags=1 security.jail.param.allow.chflags: 0 -> 0 cd /lib ; tar cf - libc.so.7 | ( cd /usr1/jail/jstest/lib && tar xf - ) Jail: cd /usr/src/lib/libc make install install -C -o root -g wheel -m 444 libc.a /usr/lib install -C -o root -g wheel -m 444 libc_p.a /usr/lib install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib install: rename: /lib/INS@sS7m to /lib/libc.so.7: \ Operation not permitted install -s -o root -g wheel -m 444 -S /usr/obj/`pwd`/libc.so.7 /lib install: rename: /lib/INS@lsAo to /lib/libc.so.7: \ Operation not permitted install -s -o root -g wheel -m 444 /usr/obj/`pwd`/libc.so.7 /lib install: /lib/libc.so.7: Operation not permitted chflags -R noschg / chflags: /lib/libc.so.7: Operation not permitted Prison: chflags -R noschg /usr1/jail/jstest statv /usr1/jail/jstest/lib/libc.so.7 Flags # http://www.berklix.com/~jhs/src/bsd/jhs/bin/public/statv/statv.c Jail: install -s -o root -g wheel -m 444 /usr/obj/`pwd`/libc.so.7 /lib NO ERROR ! But make world will want more so install -s -o root -g wheel -m 444 -fschg -S \ /usr/obj/`pwd`/libc.so.7 /lib install: /lib/libc.so.7: chflags: \ Operation not permitted Prison: ls -l /usr1/jail/jstest/lib/libc.so.7 cd /lib ; tar cf - libc.so.7 | ( cd /usr1/jail/jstest/lib && tar xf - ) ls -l /usr1/jail/jstest/lib/libc.so.7 statv /usr1/jail/jstest/lib/libc.so.7 | grep Flags Flags Jail: install -s -o root -g wheel -m 444 -fschg -S \ /usr/obj/`pwd`/libc.so.7 /lib install: /lib/libc.so.7: chflags: Operation not permitted chflags noschg /lib/libc.so.7 Shared object "libc.so.7" not found, required by "chflags" Prison: cd /lib ; tar cf - libc.so.7 | ( cd /usr1/jail/jstest/lib && tar xf - ) sysctl -a | grep chflag security.jail.param.allow.chflags: 0 security.jail.chflags_allowed: 1 Jail: sysctl -a | grep chflag security.jail.param.allow.chflags: 0 security.jail.chflags_allowed: 0 PS re. auditdistd: Jail vipw does show auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin (though I did get bitten by lack of that earlier.) Curiously my 9.2 prison did not have that line (maybe deleted by mistake) I just added it [back] & started another make world overnight in prison 9.2. My 10.0 prison /etc/master.passwd does have that line (though I'm not doing jail build from 10 prison) PPS I have always hated FreeBSD immutable bits, & turned them off. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.