Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Dec 2006 03:35:37 +0100
From:      Philipp Wuensche <cryx-freebsd@h3q.com>
To:        freebsd-rc@freebsd.org
Cc:        "Raphael H. Becker" <rabe@p-i-n.com>, freebsd-stable@freebsd.org
Subject:   Re: /etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error	in jails /etc/rc?
Message-ID:  <458B4479.7060408@h3q.com>
In-Reply-To: <20061219003401.GA23251@p-i-n.com>
References:  <20061219003401.GA23251@p-i-n.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Raphael H. Becker wrote:
> Hi *,
> 
> I recently triggered an error when setting up a jail-host: I configured
> the jail(s) like evry jail I set up in the past:

Yes, this is a bug in rc.d/jail and was introduced in this change:
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=1.31&r2=1.32.

When a jail fails to start, in your case a broken rc.conf in the jail,
the jail is stopped and the ipaddr-alias is unconfigured from the
interface with the following command: ifconfig ${jail_interface} -alias
${jail_ip}

Unfortunately in the change above the variables were renamed to
_interface and _ip, this leads to ifconfig getting executed without a
specified ipaddr. and therefore the first alias is unconfigured, which
is in most cases the ipaddr. you are having access to the remote host.

${jail_interface} is only the correct interface out of luck, so it
should be changed to _interface too.

I think the correct way would be to call jail_stop() instead of doing
the cleanup by hand but in the current implementation this would leave
the ipaddr-alias configured on the interface.

I think I already mentioned once that I don't like this interface and
ipaddr. configuration feature in rc.d/jail at all.

Anyway, the quick fix is trivial and should be included in 6.2.
Otherwise we have a possible DoS security problem with the new release.

--- rc.d/jail.old       Fri Dec 22 03:09:27 2006
+++ rc.d/jail   Fri Dec 22 03:10:07 2006
@@ -228,8 +228,8 @@
                                echo ${_jail_id} > /var/run/jail_${_jail}.id
                        else
                                jail_umount_fs
-                               if [ -n "${jail_interface}" ]; then
-                                       ifconfig ${jail_interface}
-alias ${jail_ip}
+                               if [ -n "${_interface}" ]; then
+                                       ifconfig ${_interface} -alias ${_ip}
                                fi
                                echo " cannot start jail \"${_jail}\": "
                                tail +2 ${_tmp_jail}

greetings,
philipp

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?458B4479.7060408>