From owner-freebsd-jail@FreeBSD.ORG Mon May 5 12:35:31 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53F90A4E for ; Mon, 5 May 2014 12:35:31 +0000 (UTC) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E87518A2 for ; Mon, 5 May 2014 12:35:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=HGdyKkLaSFNI9G0YDzpICgUHgiX7zWU+Bpj/h+hcGDQ=; b=tPRN7QFSz2FtMmtrXPKJbDFQoekxts2lnTNWr8qpAH2Z2l+FuckRb63KX6aKe0LhPBylEMQ2nR5GTk/Xibdvvzk9jrRZMJdy3LYRhH71kjsgioHOW0i7v5JW9AiBszm63QLfraK9FGKTVn+jo/wzIRBg5HF0IvivY5HU2sEKQrY=; Received: from [182.10.137.14] (port=49138 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (SSLv3:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WhI7F-002jw8-Fa; Mon, 05 May 2014 06:35:30 -0600 Date: Mon, 5 May 2014 20:35:25 +0800 From: Erich Dollansky To: Fbsd8 Subject: Re: Can Firefox break out of a jail Message-ID: <20140505203525.6f2ddfb3@X220.alogt.com> In-Reply-To: <5367828D.8080506@a1poweruser.com> References: <20140505195852.140ddb1b@X220.alogt.com> <5367828D.8080506@a1poweruser.com> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 12:35:31 -0000 Hi, On Mon, 05 May 2014 08:22:37 -0400 Fbsd8 wrote: > Erich Dollansky wrote: > > Hi, > > > > I do some experimenting with jails at the moment on a FreeBSD 10.0 > > machine. The jails are all setup manually according to the handbook > > and man jail. Each jail gets a name and an IP address. Individual > > ports are then installed via the ports tree. > > > > X is running on the host system. Telnet is used to connect to the > > jails. > > > > When I install now firefox in a jail and also in the host system, I > > get the following behaviour. > > > > Scene A > > > > Firefox runs already on the host system. I start then firefox inside > > the jail firefox. It all seems fine as long as I do not use the > > history or want to save the visited page. The jailed firefox sees > > then the history of the firefox running on the host. > > > > Scene B > > > > Firefox is first started inside the jail firefox. When then the host > > system also starts a firefox, this firefox sees now the history and > > the filesystem of the jailed firefox. > > > > Is it X that allows the jailed firefox to communicate directly with > > firefox running directly on the host? > > > > Is there then a way to secure the system? > > > > I have tried then programs like gedit or kate and saw only the > > behaviour I expected. Both programs either saw only resources from > > inside the jail or from outside but never resources from the other > > side of the fence. > > > > firefox has to be installed where you have xorg and your desktop > installed. Installing firefox in a jail be it self does nothing. > What you think you are seeing is wrong. ssh into jail having firefox > is not running firefox. ssh into the host where xorg and desktop and > firefox is the only to have firefox work to the best of my knowledge. > as you can see, I have realised my mistake with the mailing list. Ok, why is this so? How can firefox started inside a jail see the firefox from outside. As I am travelling most of my time, I only have my notebook. If I remember right, I used to have in the office a small FreeBSD server which was running as an application server. When I started firefox there via telnet on the other machine, it worked as expected. The remote firefox saw only the 'remote' machine and the local firefox saw only the local machine. Shouldn't it be the same with a jailed firefox? Erich