Date: Thu, 5 Sep 2019 08:22:54 +1000 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: Zaphod Beeblebrox <zbeeble@gmail.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: A jail notion. Message-ID: <84adec37-c0e8-5209-1da1-c05b77f02d82@heuristicsystems.com.au> In-Reply-To: <CACpH0Md72MVA6v5eify=FQxbQK-b79De8DRWJ0d_oCHxQ%2BCAjA@mail.gmail.com> References: <CACpH0Md72MVA6v5eify=FQxbQK-b79De8DRWJ0d_oCHxQ%2BCAjA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Zaphond,
I've had the same problem. Even after merging all UIDs, GIDs into the
host environment (preferably with appropriate replacements of:
/nonexistent:/usr/sbin/nologin), I was confronted with the same uid
across multiple jails. So really "ps -o jid,pid,command" and "top -j"
are useful - and it takes minor effort. However, the problem is with
/var/audit logs - the subject really needs a jail id field, but that's
not quite on-topic.
Kerberos users still require/have a userid - either as a person
(account) or an application (account); if you go this route linking
heimdal and openldap work nicely - I used to use these together with
pre-samba4.X but you still need an account; while post-samba3, you'll
need to modify nsswitch.conf so the system can find a userid mapping.
NIS was helpful but for our env, unsuitable, as we didn't want all xID's
exposed in the jails.
FWIW I added this to acquire jail id information in the /var/audit logs
(a very long time ago-not my original idea, I just met the need)
--- /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c
(revision 351800)
+++ /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c (working
copy)
@@ -172,6 +172,7 @@
fprintf(stderr, "\t\t pid=<ID>\n");
fprintf(stderr, "\t\t semid=<ID>\n");
fprintf(stderr, "\t\t shmid=<ID>\n");
+ fprintf(stderr, "\t\t zone=<ID>\n");
fprintf(stderr, "\t-r <uid|name> : real user\n");
fprintf(stderr, "\t-u <uid|name> : audit user\n");
fprintf(stderr, "\t-v : select non-matching records\n");
@@ -593,6 +594,9 @@
} else if (!strcmp(name, SOCKOBJ)) {
p_sockobj = val;
SETOPT(opttochk, OPT_oso);
+ } else if (!strcmp(name, ZONEOBJ)) {
+ p_sockobj = val;
+ SETOPT(opttochk, OPT_z);
} else
usage("unknown value for -o");
}
Index: /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h
===================================================================
--- /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h
(revision 351800)
+++ /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h (working
copy)
@@ -57,6 +57,7 @@
#define OPT_u 0x00010000
#define OPT_A 0x00020000
#define OPT_v 0x00040000
+#define OPT_z 0x00080000 /* zone token */
#define FILEOBJ "file"
#define MSGQIDOBJ "msgqid"
@@ -64,6 +65,7 @@
#define SEMIDOBJ "semid"
#define SHMIDOBJ "shmid"
#define SOCKOBJ "sock"
+#define ZONEOBJ "zonename" /* aka jail */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84adec37-c0e8-5209-1da1-c05b77f02d82>