From owner-freebsd-jail@FreeBSD.ORG Sun Feb 17 16:05:48 2008 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E1C116A41B; Sun, 17 Feb 2008 16:05:48 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 48ECB13C44B; Sun, 17 Feb 2008 16:05:48 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1HG5mDP034354; Sun, 17 Feb 2008 16:05:48 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1HG5mjG034350; Sun, 17 Feb 2008 16:05:48 GMT (envelope-from linimon) Date: Sun, 17 Feb 2008 16:05:48 GMT Message-Id: <200802171605.m1HG5mjG034350@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/120753: [jail] Zombie jails (jailed child process exits while non-jailed parent is alive) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Feb 2008 16:05:48 -0000 Synopsis: [jail] Zombie jails (jailed child process exits while non-jailed parent is alive) Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun Feb 17 16:05:40 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=120753 From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 11:07:12 2008 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A0CC16A4E9 for ; Mon, 18 Feb 2008 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 18FB613C45B for ; Mon, 18 Feb 2008 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1IB7Bmb039449 for ; Mon, 18 Feb 2008 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1IB7B5e039445 for freebsd-jail@FreeBSD.org; Mon, 18 Feb 2008 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Feb 2008 11:07:11 GMT Message-Id: <200802181107.m1IB7B5e039445@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 11:07:12 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/119305 jail [jail] [patch] jexec(8): jexec -n prisonname: selectio o kern/120753 jail [jail] Zombie jails (jailed child process exits while 10 problems total. From owner-freebsd-jail@FreeBSD.ORG Thu Feb 21 12:43:39 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37B2416A400 for ; Thu, 21 Feb 2008 12:43:39 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38214.mail.mud.yahoo.com (web38214.mail.mud.yahoo.com [209.191.124.157]) by mx1.freebsd.org (Postfix) with SMTP id DE6B413C465 for ; Thu, 21 Feb 2008 12:43:38 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 25602 invoked by uid 60001); 21 Feb 2008 12:16:58 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=IHxHDlJeXHLBEqla1wo26R4f8BAAsmXvvxvd0MslWdi8vKqGqJbDUbHA2AcWp+hEXMdC/kDyd2omug8jfUobGcHGBXvfDcN1fAQnO0cHcbnojdVaOynGKwVlMrNbX3AQsGjgiF41MXEuPaFkB2Hda9qD+37Mjvhq2ieoGlYV9VM=; X-YMail-OSG: SAWDU7gVM1kk9dWuHNoSZA3FQ98X2QfbyVbYOncEvKoWAI8NG3aY6cO.NvraixmKdnEhxc8jHw-- Received: from [24.227.124.250] by web38214.mail.mud.yahoo.com via HTTP; Thu, 21 Feb 2008 04:16:58 PST Date: Thu, 21 Feb 2008 04:16:58 -0800 (PST) From: Tommy Pham To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <191163.24082.qm@web38214.mail.mud.yahoo.com> Subject: restrictions between host and jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 12:43:39 -0000 Hi, Could someone please explain to me the difference between host and jail when the security.jail settings are as follow: security.jail.mount_allowed: 1 security.jail.chflags_allowed: 1 security.jail.allow_raw_sockets: 1 security.jail.enforce_statfs: 2 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 I also have devfs (with various rulesets), fdescfs, procfs enabled for the jail. I'm trying to run glassfish inside the jail but I'm having a problem about it being delayed at start-up. I don't have this problem in the host environment. I've post a about glassfish resource requirement at glassfish's forum but I didn't get any response. I've tried running glassfish with all variations of configurations in security.jail and jail's filesystem (devfs, procfs, fdescfs) and still unable to find the cause in the delayed start-up. Glassfish takes less 30 seconds to start in host while in jail, takes 5+ minutes. When I run asadmin list-domains, I get "Unauthorized access" in jail environment. I didn't get this error in host. Thanks in advance, Tommy From owner-freebsd-jail@FreeBSD.ORG Thu Feb 21 13:10:27 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A28316A409 for ; Thu, 21 Feb 2008 13:10:27 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 0C1BA13C508 for ; Thu, 21 Feb 2008 13:10:27 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 07D1919E023; Thu, 21 Feb 2008 14:10:26 +0100 (CET) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id D415C19E019; Thu, 21 Feb 2008 14:10:20 +0100 (CET) Message-ID: <47BD784A.5090804@quip.cz> Date: Thu, 21 Feb 2008 14:10:34 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Tommy Pham References: <191163.24082.qm@web38214.mail.mud.yahoo.com> In-Reply-To: <191163.24082.qm@web38214.mail.mud.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: restrictions between host and jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 13:10:27 -0000 Tommy Pham wrote: > Hi, > > Could someone please explain to me the difference between host and jail > when the security.jail settings are as follow: > > security.jail.mount_allowed: 1 > security.jail.chflags_allowed: 1 > security.jail.allow_raw_sockets: 1 > security.jail.enforce_statfs: 2 > security.jail.sysvipc_allowed: 1 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > > I also have devfs (with various rulesets), fdescfs, procfs enabled for > the jail. > > I'm trying to run glassfish inside the jail but I'm having a problem > about it being delayed at start-up. I don't have this problem in the > host environment. I've post a about glassfish resource requirement at > glassfish's forum but I didn't get any response. > > I've tried running glassfish with all variations of configurations in > security.jail and jail's filesystem (devfs, procfs, fdescfs) and still > unable to find the cause in the delayed start-up. Glassfish takes less > 30 seconds to start in host while in jail, takes 5+ minutes. When I > run asadmin list-domains, I get "Unauthorized access" in jail > environment. I didn't get this error in host. I don't know glassfish, but can it be caused by some problems with domain name resolution? (empty or wrong /etc/resolv.conf or /etc/hosts in jail) Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Thu Feb 21 13:22:07 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 822E516A401 for ; Thu, 21 Feb 2008 13:22:07 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38202.mail.mud.yahoo.com (web38202.mail.mud.yahoo.com [209.191.124.145]) by mx1.freebsd.org (Postfix) with SMTP id 48C0813C4D1 for ; Thu, 21 Feb 2008 13:22:07 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 77814 invoked by uid 60001); 21 Feb 2008 13:22:06 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=r3gKFYKalPpimXvSauCODzc1b9mAssSEBiY+NN9Q1aYOl6M3X66MShRMRi6h3L+7h4oqZ3xLEO0jhKSq7CkeEKL4tqafKRB/5VtO6/0vcU1fhBeMWegzpXw6x3oVC9Omm5LKoVPpAJkgoYji/zULmNwY78U8uSOLSwHeWMg+sp8=; X-YMail-OSG: J2TqHvsVM1myQAEIOn0uI848tE74jvxpKvwVaSZuyLen.zRIJ3m5AVNOpyK8WEcw5U6dMASm8A-- Received: from [74.229.174.93] by web38202.mail.mud.yahoo.com via HTTP; Thu, 21 Feb 2008 05:22:06 PST Date: Thu, 21 Feb 2008 05:22:06 -0800 (PST) From: Tommy Pham To: freebsd-jail@freebsd.org In-Reply-To: <47BD784A.5090804@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <624466.76178.qm@web38202.mail.mud.yahoo.com> Subject: Re: restrictions between host and jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 13:22:07 -0000 --- Miroslav Lachman <000.fbsd@quip.cz> wrote: > Tommy Pham wrote: > > Hi, > > > > Could someone please explain to me the difference between host and > jail > > when the security.jail settings are as follow: > > > > security.jail.mount_allowed: 1 > > security.jail.chflags_allowed: 1 > > security.jail.allow_raw_sockets: 1 > > security.jail.enforce_statfs: 2 > > security.jail.sysvipc_allowed: 1 > > security.jail.socket_unixiproute_only: 1 > > security.jail.set_hostname_allowed: 1 > > > > I also have devfs (with various rulesets), fdescfs, procfs enabled > for > > the jail. > > > > I'm trying to run glassfish inside the jail but I'm having a > problem > > about it being delayed at start-up. I don't have this problem in > the > > host environment. I've post a about glassfish resource requirement > at > > glassfish's forum but I didn't get any response. > > > > I've tried running glassfish with all variations of configurations > in > > security.jail and jail's filesystem (devfs, procfs, fdescfs) and > still > > unable to find the cause in the delayed start-up. Glassfish takes > less > > 30 seconds to start in host while in jail, takes 5+ minutes. When > I > > run asadmin list-domains, I get "Unauthorized access" in jail > > environment. I didn't get this error in host. > > I don't know glassfish, but can it be caused by some problems with > domain name resolution? (empty or wrong /etc/resolv.conf or > /etc/hosts > in jail) > > Miroslav Lachman > Hi Miroslav, Thanks for the reply. That's what I thought at first too but I can do nslookup by host and IP properly. The files are set correctly. Funny thing is that the initial glassfish startup after build is ok (within 30 secs) regardless of security.jail and fs settings in rc.conf. I've tested just just about every case scenario for weeks now :(... Thanks, Tommy From owner-freebsd-jail@FreeBSD.ORG Thu Feb 21 14:16:46 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A26716A409 for ; Thu, 21 Feb 2008 14:16:46 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 10E0B13C4D3 for ; Thu, 21 Feb 2008 14:16:45 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A55F30.dip.t-dialin.net [84.165.95.48]) by redbull.bpaserver.net (Postfix) with ESMTP id 93BE62E1DA; Thu, 21 Feb 2008 15:16:29 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id C374C92DBC; Thu, 21 Feb 2008 15:16:27 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m1LEGRq0097775; Thu, 21 Feb 2008 15:16:27 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Thu, 21 Feb 2008 15:16:27 +0100 Message-ID: <20080221151627.ovbkq6k4w04gs48w@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Thu, 21 Feb 2008 15:16:27 +0100 From: Alexander Leidinger To: Tommy Pham References: <191163.24082.qm@web38214.mail.mud.yahoo.com> In-Reply-To: <191163.24082.qm@web38214.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.3, required 6, BAYES_00 -15.00, J_CHICKENPOX_84 0.60, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@freebsd.org Subject: Re: restrictions between host and jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 14:16:46 -0000 Quoting Tommy Pham (from Thu, 21 Feb 2008 =20 04:16:58 -0800 (PST)): > Hi, > > Could someone please explain to me the difference between host and jail > when the security.jail settings are as follow: > > security.jail.mount_allowed: 1 You are allowed to use mount inside the jail. > security.jail.chflags_allowed: 1 You are allowed to change file flags. > security.jail.allow_raw_sockets: 1 You can ping from inside the jail (actually: you can create any kind =20 of network traffic, not only system generated TCP/UDP packets, the =20 most visible change from an user point of view is that you can ping). > security.jail.enforce_statfs: 2 Don't display FSes outside of a jail to processes inside a jail. > security.jail.sysvipc_allowed: 1 You can use sysv shared resource (ipcs -a) in a jail. Warning: this =20 means that every jail is able to access the same shared resources, if =20 they belong to the same jail or not. > security.jail.socket_unixiproute_only: 1 Have a look at the man page of jail, I can not produce a shorter =20 explanation (and I would have to look it up there myself to get the =20 details right). > security.jail.set_hostname_allowed: 1 You are allowed to change your hostname from inside the jail. A change =20 would affect the data in /proc (have a look at the man page of jail to =20 read more). Bye, Alexander. --=20 To see the IP addresses currently set on your active interfaces, type "ifconfig -u". =09=09-- Dru http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Thu Feb 21 19:10:00 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE6BA16A402 for ; Thu, 21 Feb 2008 19:10:00 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38201.mail.mud.yahoo.com (web38201.mail.mud.yahoo.com [209.191.124.144]) by mx1.freebsd.org (Postfix) with SMTP id 9096313C442 for ; Thu, 21 Feb 2008 19:10:00 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 49127 invoked by uid 60001); 21 Feb 2008 19:10:00 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=vEJzu6WO9ojdaCHmTRjI4xbXhz41RoOy00/N/2Ap2GENFcfG/BVw6ZnZEmPF4GZ1FPrLX+F+PkZjd2qaIiNhyHyKw1nXCObPRrvORHUAm/5MhDjXIHiy/+uPkg/3GLdPqgqSiSlVENeJzuVHGW+MGuoBpA1i6NxGfpZiSkvWsVY=; X-YMail-OSG: 2g_byVkVM1lZLFdR.Z2qaF4fxkb0pXo_1as_LmpbckDnrHnDPSel7UZMXgiFu39pQ89RBSdiy9ieHjhiKxbgQ50enuW7shkhbpBYd1vkfWW8qpboXns- Received: from [74.229.174.93] by web38201.mail.mud.yahoo.com via HTTP; Thu, 21 Feb 2008 11:09:59 PST Date: Thu, 21 Feb 2008 11:09:59 -0800 (PST) From: Tommy Pham To: Alexander Leidinger In-Reply-To: <20080221151627.ovbkq6k4w04gs48w@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <947511.45845.qm@web38201.mail.mud.yahoo.com> Cc: freebsd-jail@freebsd.org Subject: Re: restrictions between host and jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 19:10:00 -0000 --- Alexander Leidinger wrote: > Quoting Tommy Pham (from Thu, 21 Feb 2008 > 04:16:58 -0800 (PST)): > > > Hi, > > > > Could someone please explain to me the difference between host and > jail > > when the security.jail settings are as follow: > > > > security.jail.mount_allowed: 1 > > You are allowed to use mount inside the jail. > > > security.jail.chflags_allowed: 1 > > You are allowed to change file flags. > > > security.jail.allow_raw_sockets: 1 > > You can ping from inside the jail (actually: you can create any kind > > of network traffic, not only system generated TCP/UDP packets, the > most visible change from an user point of view is that you can ping). > > > security.jail.enforce_statfs: 2 > > Don't display FSes outside of a jail to processes inside a jail. > > > security.jail.sysvipc_allowed: 1 > > You can use sysv shared resource (ipcs -a) in a jail. Warning: this > means that every jail is able to access the same shared resources, if > > they belong to the same jail or not. > > > security.jail.socket_unixiproute_only: 1 > > Have a look at the man page of jail, I can not produce a shorter > explanation (and I would have to look it up there myself to get the > details right). > > > security.jail.set_hostname_allowed: 1 > > You are allowed to change your hostname from inside the jail. A > change > would affect the data in /proc (have a look at the man page of jail > to > read more). > > Bye, > Alexander. > > -- > To see the IP addresses currently set on your active interfaces, type > "ifconfig -u". > -- Dru > > http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = > B0063FE7 > http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = > 72077137 > Hi Alexander, Thanks for the reply. I understand what those options but What I'm trying to ask is as I've set those options for the jails, what other differences are there between host & jail environment since turning on those options lessen the jail's restriction of resources similar or exactly as in host environment? Thanks, Tommy From owner-freebsd-jail@FreeBSD.ORG Fri Feb 22 11:10:02 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEA1D16A401 for ; Fri, 22 Feb 2008 11:10:02 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 6FFAF13C457 for ; Fri, 22 Feb 2008 11:10:02 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A57077.dip.t-dialin.net [84.165.112.119]) by redbull.bpaserver.net (Postfix) with ESMTP id B70BF2E33B; Fri, 22 Feb 2008 12:09:52 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 8F1937DA33; Fri, 22 Feb 2008 12:09:49 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m1MB9mTF011472; Fri, 22 Feb 2008 12:09:48 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 22 Feb 2008 12:09:48 +0100 Message-ID: <20080222120948.ff2qlut8iswws4co@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 22 Feb 2008 12:09:48 +0100 From: Alexander Leidinger To: Tommy Pham References: <947511.45845.qm@web38201.mail.mud.yahoo.com> In-Reply-To: <947511.45845.qm@web38201.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.9, required 6, BAYES_00 -15.00, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@freebsd.org Subject: Re: restrictions between host and jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2008 11:10:02 -0000 Quoting Tommy Pham (from Thu, 21 Feb 2008 11:09:59 -0800 (PST)): > Thanks for the reply. I understand what those options but What I'm > trying to ask is as I've set those options for the jails, what other > differences are there between host & jail environment since turning on > those options lessen the jail's restriction of resources similar or > exactly as in host environment? There are several. For example you also don't have access to all devices. I suggest you do a ktrace (or similar) of the process in the jail so see what it does. Bye, Alexander. -- Not SENSUOUS ... only "FROLICSOME" ... and in need of DENTAL WORK ... in PAIN!!! http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137