From owner-freebsd-jail@FreeBSD.ORG Tue Jul 29 18:58:22 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59E821065676 for ; Tue, 29 Jul 2008 18:58:22 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 0BB718FC36 for ; Tue, 29 Jul 2008 18:58:22 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from [85.173.16.156] (helo=localhost.my.domain) by services.ipt.ru with esmtpa (Exim 4.54 (FreeBSD)) id 1KNuOp-000Ily-Mp; Tue, 29 Jul 2008 22:58:19 +0400 To: Randy Schultz References: From: Boris Samorodov Date: Tue, 29 Jul 2008 22:57:10 +0400 In-Reply-To: (Randy Schultz's message of "Tue\, 29 Jul 2008 14\:20\:34 -0400 \(EDT\)") Message-ID: <71363369@ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-jail@freebsd.org Subject: Re: visudo non-functional in 7.0-RELEASE jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 18:58:22 -0000 On Tue, 29 Jul 2008 14:20:34 -0400 (EDT) Randy Schultz wrote: > Been using jails for a while with 6.2 and 6.3. Today I'm working my first lab > box with 7.0-RELEASE. Set everything up with ezjail, e.g. ezjail-admin > create... Everything builds/installs fine, no barks. Sudo installed via make > install in /usr/ports/security/sudo on both parent and jail after a portsnap > update. The version of sudo works fine in the parent. In the jail however I > always get: > zincite# /usr/local/sbin/visudo > visudo: /usr/local/etc/sudoers busy, try again later > Sudoers is not busy. This is on a fresh jail that only I have access to, > doing a visudo right after the make install finishes. > My first thought was the jail dev/fs perms were somehow messed up but I can > write to /usr/local/etc. In fact I can vi /usr/local/etc/sudoers and write it > back out. > I've checked the sysctl flags. They are the same as on a working 6.x > parent(but I've included them here FWIW): I'm not sure that this configuration (6.x parent and 7.x jail) is supported. I think that just the opposite may (or should) work. Just my imho though. I'll be glad to be wrong here... > Root Dude ? sysctl -a|egrep jail > security.jail.jailed: 0 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 0 > security.jail.allow_raw_sockets: 0 > security.jail.enforce_statfs: 2 > security.jail.sysvipc_allowed: 0 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > Rc.conf has: > ezjail_enable=YES > jail_list="zincite" > jail_zincite_rootdir=/usr/local/jails/zincite > jail_zincite_hostname=zincite.earlham.edu > jail_zincite_ip=159.28.83.137 > jail_zincite_interface=bge0 > #jail_zincite_fstab="/etc/zincite.fstab" > jail_zincite_mount_enable="YES" > jail_zincite_devfs_enable="YES" > Fstab is pretty standard: > Root Dude ? cat /etc/fstab.zincite > /usr/local/jails/basejail /usr/local/jails/zincite/basejail nullfs ro 0 0 > The /usr/local/jails/zincite/etc/devfs.conf is non-tweaked > zincite# ls -l /dev > total 0 > dr-xr-xr-x 2 root wheel 512 Jul 29 16:23 fd > lrwxr-xr-x 1 root wheel 14 Jul 29 16:23 log -> ../var/run/log > crw-rw-rw- 1 root wheel 0, 6 Jul 29 17:33 null > crw-rw-rw- 1 root wheel 0, 121 Jul 29 17:26 ptyp0 > crw-rw-rw- 1 root wheel 0, 123 Jul 29 17:38 ptyp1 > crw-rw-rw- 1 root wheel 0, 10 Jul 29 12:23 random > lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stderr -> fd/2 > lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdin -> fd/0 > lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdout -> fd/1 > crw-rw-rw- 1 root wheel 0, 122 Jul 29 17:26 ttyp0 > crw--w---- 1 rj tty 0, 124 Jul 29 17:38 ttyp1 > lrwxr-xr-x 1 root wheel 6 Jul 29 16:23 urandom -> random > crw-rw-rw- 1 root wheel 0, 7 Jul 29 16:23 zero > and /usr/local/etc/ezjail/zincite contains: > export jail_zincite_hostname="zincite" > export jail_zincite_ip="159.28.83.137" > export jail_zincite_rootdir="/usr/local/jails/zincite" > export jail_zincite_exec="/bin/sh /etc/rc" > export jail_zincite_mount_enable="YES" > export jail_zincite_devfs_enable="YES" > export jail_zincite_devfs_ruleset="devfsrules_jail" > export jail_zincite_procfs_enable="YES" > export jail_zincite_fdescfs_enable="YES" > export jail_zincite_image="" > export jail_zincite_imagetype="" > export jail_zincite_attachparams="" > export jail_zincite_attachblocking="" > export jail_zincite_forceblocking="" > I tried tracing visudo but that didn't give me much: > ... > 1293: open("/usr/local/etc/sudoers",O_RDWR|O_CREAT,0440) = 3 (0x3) > 1293: fcntl(3,F_SETLK,0x7fffffffe390) ERR#22 'Invalid argument' > visudo: 1293: write(2,"visudo: ",8) = 8 (0x8) > /usr/local/etc/sudoers busy, try again later 1293: > write(2,"/usr/local/etc/sudoers busy, try"...,44) = 44 (0x2c) > 1293: write(2,"\n",1) = 1 (0x1) > 1293: process exit, rval = 1 > I noted the invalid argument, thought busted port, but same thing works great > on the parent. > I'm running out of places to poke. WBR -- bsam