Date: Mon, 20 Aug 2007 10:14:35 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: mal content <artifact.one@googlemail.com> Cc: freebsd-jail@freebsd.org Subject: Re: Jailed X applications Message-ID: <20070820101435.cw0im31s0wwcc44o@webmail.leidinger.net> In-Reply-To: <8e96a0b90708170900u7d40165es18ac058877236a89@mail.gmail.com> References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> <8e96a0b90708170900u7d40165es18ac058877236a89@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting mal content <artifact.one@googlemail.com> (from Fri, 17 Aug =20
2007 17:00:00 +0100):
> On 17/08/07, Alexander Leidinger <Alexander@leidinger.net> wrote:
>> Quoting mal content <artifact.one@googlemail.com> (from Fri, 17 Aug
>> > Has anyone here ever successfully set up a jail for X apps, connecting
>> > to an external X server? I'm trying an experimental sandbox setup here.
>>
>> I have my X server itself in a jail (needs a kernel patch and some
>> devfs rules), and in the past connected to a jail and started a X11
>> programm there... IIRC.
>
> I think you may misunderstand me. In this setup, my X
> server is actually running on my host, outside of any
> jail. I intend for programs running inside the jail
> to connect to the X server with TCP/IP:
I haven't misunderstood you. I just explained that I even have a more =20
restrictive configuration running.
> ssh -N -L 6000:hostip:6000 x@hostip &
> xterm -display 127.0.0.1:6000
ssh itself opens an X11 tunnel for you if you use -X (xauth has to be =20
present on ... both(?) hosts), it also sets the DISPLAY variable. So =20
maybe
ssh -f -X x@hostip xterm &
would be a better idea.
You command maybe misses the -g for ssh, or alternatively use -R =20
instead of -L. -T disables the allocation of a pseudoi-tty, but this =20
should not be necessary, try all the other possibilities first (you =20
can use -v to get some more information what ssh does).
> The intention is to also place some sort of custom X
> proxy before the actual server, to do inspection on the
> protocol before it is passed to the real server. This
> is for later, however.
Should be possible even with the built-in X-tunnel (just give the =20
value of the ssh DISPLAY to the proxy).
>> ssh uses a tty (pty?), but normally you have some in a jail. How do
>> you start the jail? There should be devfs mounted in the jail.
>>
>
> I'm using a jail created with ezjail from ports. The
> jail has both a devfs and fdescfs mounted inside (it uses
> the standard jail devfs rules). The ezjail documentation
> suggests that it uses the standard /etc/rc.d/jail script
> to start jails, a quick look at the source seems to
> confirm it.
I use ezjail myself, so this is most probably not the problem.
Bye,
Alexander.
--=20
God isn't dead, he just couldn't find a parking place.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070820101435.cw0im31s0wwcc44o>