From owner-freebsd-questions@FreeBSD.ORG Sat Sep 10 15:06:37 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA1016A41F for ; Sat, 10 Sep 2005 15:06:37 +0000 (GMT) (envelope-from rubenl@bloemgarten.demon.nl) Received: from post-25.mail.nl.demon.net (post-25.mail.nl.demon.net [194.159.73.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E3AC43D45 for ; Sat, 10 Sep 2005 15:06:37 +0000 (GMT) (envelope-from rubenl@bloemgarten.demon.nl) Received: from axelds.demon.nl ([83.160.138.74]:21671 helo=abubbletprpdda) by post-25.mail.nl.demon.net with esmtp (Exim 4.51) id 1EE6w8-000PFs-BD; Sat, 10 Sep 2005 15:06:36 +0000 From: "Ruben Bloemgarten" To: , Date: Sat, 10 Sep 2005 17:05:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <44mzml3wt7.fsf@be-well.ilk.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: AcW2BykScU28cS3yRCae8EUy1TUQfwADwElg Message-Id: <20050910150637.5E3AC43D45@mx1.FreeBSD.org> Cc: Subject: RE: /dev/mem /dev/kmem jails and using netstat -r and snmp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ruben@bloemgarten.demon.nl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 15:06:37 -0000 Hi Lowell, I absolutely agree with you in regards to jail security, this would effectively break jail security. My main reason for using jails is not security however, but manageability and expandability. By now I've figured out how to make mem and kmem available to a specicic jail. As with all *nix related problems it was painfully simple once understood. I have managed to enable most NMS functionality I want from inside the jail without having to resort to this ruleset. I did want to have the option available for development and testing reasons to be able to differentiate between what I'm doing wrong and what is just an inherent restriction of properly deployed jails. For a fully functional NMS solution running from inside a jail, using very anal access restrictions from the firewall on the mainhost, I'm not sure yet whether or not I'm actually troubled by the security NoNo access to privileged devices generates. Anyway, thanks for your insight. Sometimes all we need is just someone to talk to. By the way I am very interested in what everyone's thoughts are in regards to jail functionality, as in security vs. the VirtualServer aspect and in which scenario one outweighs the other. Regards, Ruben -----Original Message----- From: lowell@be-well.ilk.org [mailto:lowell@be-well.ilk.org] On Behalf Of Lowell Gilbert Sent: September 10, 2005 2:57 PM To: ruben@bloemgarten.demon.nl Cc: freebsd-questions@freebsd.org Subject: Re: /dev/mem /dev/kmem jails and using netstat -r and snmp "Ruben Bloemgarten" writes: > I seem to be a bit stuck here. I seem to need access to /dev/mem and > /dev/kmem from inside a jail . Specifically to be able to use netstat ?r and > snmp in jailed environments. I?m running FBSD 5.4-RELEASE. Could anyone help > me shed some light on this problem ? Thanks. Making kmem available in a jail seems like it can't be the right answer to anything. Kind of contradicts the point, I would think. I don't see an easy way around this. Furthermore, there are different approaches depending on why you are trying to do this. If you want system statistics inside of a jail for remote monitoring, consider whether that is the best approach; after all, network management *is* a fundamentally privileged operation. One way to do it would be to feed the statistics into the jail from outside of it; this way, the privileged operation is separated from the network-accessible code, and not dependent on it in any way. Good luck. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005