Date: Wed, 15 Aug 2007 12:36:26 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: Randy Schultz <schulra@earlham.edu> Cc: freebsd-jail@freebsd.org Subject: Re: security bug or operator "misunderstanding", and a query Message-ID: <20070815123626.61341c12.wmoran@collaborativefusion.com> In-Reply-To: <Pine.BSF.4.64.0708151105090.77665@tdream.lly.earlham.edu> References: <Pine.BSF.4.64.0708151105090.77665@tdream.lly.earlham.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Randy Schultz <schulra@earlham.edu>: > Hey all, > > I've been messing around with, and liking, jails. I had a weird thing happen > tho' that I cannot explain, and seems to violate the concept of jail. > > I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor > ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: > > jail_list="ntpjail" > > jail_ntpjail_rootdir=/usr/local/jails/jail1 > jail_ntpjail_hostname=ntpjail.earlham.edu > jail_ntpjail_ip=192.168.1.59 > jail_ntpjail_interface=bge1 > jail_ntpjail_devfs_enable="YES" > > The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules, > and no tweaks are in sysctl.conf. > > When I have the parent/jail up and running, ntpd not running on the parent, if > I kick off ntpd in the jail, it actually kicks off ntpd in the parent then > barks with "address already in use". By design, a jail can not start a process on the host. If you are actually able to demonstrate this behaviour, many would be interested because it would constitute a serious bug. > Now, I understand the "address already > in use" part, but how can starting something in the jail affect anything on > the parent? I thought the 2 were more separated than that. If ntpd on the parent is trying to listen on 192.168.1.59, it will be unable to because the copy in the jail is already using it. The host has access to all of the jail's resources. The jail has access to only the resources that are specifically configured to be allowed. > I'm trying to get to a setup where ntp on the parent sets the system time but > doesn't answer any queries, and ntp in the jail answers the time queries. If > anybody has any thoughts on whether or not this is even possible(short of > recoding part of ntp ;) or possible avenues of investigation, pls let me know. Configure ntpd on the host to use only the host's primary IP and not that of the jail. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070815123626.61341c12.wmoran>