From owner-freebsd-current@freebsd.org Tue Sep 11 19:58:12 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55616109B8A3 for ; Tue, 11 Sep 2018 19:58:12 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id DF6C487680 for ; Tue, 11 Sep 2018 19:58:11 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: by mailman.ysv.freebsd.org (Postfix) id A3A4E109B8A2; Tue, 11 Sep 2018 19:58:11 +0000 (UTC) Delivered-To: current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 819C1109B8A1 for ; Tue, 11 Sep 2018 19:58:11 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [104.236.197.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 311B78767F for ; Tue, 11 Sep 2018 19:58:10 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.15.2/8.15.2) with ESMTP id w8BJw2jJ077640 for ; Tue, 11 Sep 2018 15:58:02 -0400 (EDT) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.15.2/8.15.2/Submit) id w8BJw2Ja077639 for current@freebsd.org; Tue, 11 Sep 2018 15:58:02 -0400 (EDT) (envelope-from mwlucas) Date: Tue, 11 Sep 2018 15:58:02 -0400 From: "Michael W. Lucas" To: current@freebsd.org Subject: jail exec.clean busted in 12? Message-ID: <20180911195802.GA77575@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.michaelwlucas.com X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (mail.michaelwlucas.com [127.0.0.1]); Tue, 11 Sep 2018 15:58:03 -0400 (EDT) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2018 19:58:12 -0000 Hi, storm~;uname -a FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep 6 12:29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 It appears that exec.clean is busted. Here's my jail.conf: --- $j="/jail"; path="$j/$name"; host.hostname="$name.mwl.io"; mount.devfs; exec.clean=0; exec.start="sh /etc/rc"; exec.stop="sh /etc/rc.shutdown"; loghost { ip4.addr="203.0.113.231"; allow.raw_sockets=1; jid=99; } logdb { host.hostname="logdb.mwl.io"; ip4.addr="203.0.113.232"; } --- exec.clean is not explicitly defined on the command line, but it's the default, so it maybe shouldn't be? storm~;jls -n devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 host.hostname=logdb.mwl.io host.hostuuid=00000000-0000-0000-0000-000000000000 ip4.addr=203.0.113.232 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144 devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 host.hostname=loghost.mwl.io host.hostuuid=00000000-0000-0000-0000-000000000000 ip4.addr=203.0.113.231 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144 Anyway, I found this by: # jexec loghost env HOME=/home/mwlucas PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin TERM=xterm LC_COLLATE=C LANG=en_US.UTF-8 SSH_CLIENT=203.0.113.70 59076 22 SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 SSH_TTY=/dev/pts/2 SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 LC_CTYPE=en_US.ISO-8859-1 MAIL=/var/mail/root ... I'm highly confident my SSH environment shouldn't be in the jail. Yes, it goes away if I add -l, but my (admittedly sketchy) reading of the jexec source says that jexec handles stripping the environment before running the command. Even if I start it the hard way (from a discussion at https://github.com/iocage/iocage/issues/610) storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist storm~;jls JID IP Address Hostname Path 9 loghost /jail/loghost storm~;jexec 9 env | grep -i ssh SSH_CLIENT=203.0.113.70 59076 22 SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 SSH_TTY=/dev/pts/2 SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 storm~; Any ideas? Thanks, ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...