From owner-freebsd-jail@freebsd.org Sun Jun 24 08:04:04 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10CD3101DC46; Sun, 24 Jun 2018 08:04:04 +0000 (UTC) (envelope-from SRS0=8X+v=JK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8ED097E488; Sun, 24 Jun 2018 08:04:03 +0000 (UTC) (envelope-from SRS0=8X+v=JK=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 2360928411; Sun, 24 Jun 2018 10:03:55 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id A144828422; Sun, 24 Jun 2018 10:03:46 +0200 (CEST) Subject: Re: jail related inconsistencies in FreeBSD tools parameters To: James Gritton , bsd-lists@bsdforge.com, freebsd-jail@freebsd.org, freebsd-stable Stable References: <6dd9952452c73826a2f9c01612586bea@udns.ultimatedns.net> <18000a3b93085c91aeffbca937862786@freebsd.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <47728073-93d3-325c-d90f-6235a4d548e7@quip.cz> Date: Sun, 24 Jun 2018 10:03:45 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <18000a3b93085c91aeffbca937862786@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jun 2018 08:04:04 -0000 James Gritton wrote on 2018/06/23 17:30: > On 2018-06-22 16:03, Miroslav Lachman wrote: >> Chris H wrote on 2018/06/22 23:46: >>> On Fri, 22 Jun 2018 23:13:17 +0200 "Miroslav Lachman" >>> <000.fbsd@quip.cz> said >>> >>>> I don't know if it is better to discuss it in jail@ or stable@ list >>>> so a do cross-post. >>>> >>>> FreeBSD has many jail aware utilities but they are inconsistent in >>>> taking JID as parameter. >>>> >>>> For example "sockstat" takes -j JID "Show only sockets belonging to >>>> the specified jail ID" and it means numeric ID only. >>>> On the other hand "ps" takes -J JID "This may be either the jid or >>>> name of the jail.  Use -J 0 to display only host processes." >>>> The same apply for "top", it understands jid as a number or name of >>>> the jail too. >>>> Then again "cpuset" takes only numerical ID of the jail... >>>> >>>> Shouldn't it be consistent across all FreeBSD base utilities so all >>>> of them can use numerical ID and name? >>> Good idea! Are you offering to create a patch? ;-) >>> It'd be my guess that given they weren't all created at the same >>> time, nor >>> the same individual; that (quite probably?) the "jail" additions were >>> also >>> added at different times, and by different people. So I'd imagine that >>> unless someone with a commit bit decides one day they'd like to take >>> that >>> on. Someone(tm) maybe you? will need to propose a patch. :-) >> >> If I can understand C sources I will create the patch by myself >> instead of just posting here. Unfortunately I am able to code in sh, >> php and a bit of javascript and perl but no C. :) >> >> Miroslav Lachman > > Sure, a PR would be handy for this - it's a pretty simple thing to add, > and consistency would indeed be a good move. PR 229266 created https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 Kind regards Miroslav Lachman From owner-freebsd-jail@freebsd.org Tue Jun 26 14:54:57 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D26C102A10D for ; Tue, 26 Jun 2018 14:54:56 +0000 (UTC) (envelope-from kelly@rsw-power.com) Received: from m97106.mail.qiye.163.com (m97106.mail.qiye.163.com [220.181.97.106]) by mx1.freebsd.org (Postfix) with ESMTP id 9BFCF7400B for ; Tue, 26 Jun 2018 14:54:52 +0000 (UTC) (envelope-from kelly@rsw-power.com) Received: from localhost (unknown [127.0.0.1]) by wmsvr3 (Coremail) with SMTP id TSWEB_000000070000730B5B325075; Tue, 26 Jun 2018 22:40:53 +0800 (CST) Received: from kelly$rsw-power.com ( [119.123.74.132] ) by ajax-webmail-wmsvr12 (Coremail) ; Mon, 25 Jun 2018 17:09:05 +0800 (CST) X-Originating-IP: [119.123.74.132] Date: Tue, 26 Jun 2018 22:40:00 +0800 (CST) From: kelly To: freebsd-jail@freebsd.org Subject: Re: Handheld Inkjet Printer Manufacturer X-Priority: 3 X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build 20150911(74783.7961) Copyright (c) 2002-2018 www.mailtech.cn 163-hosting MIME-Version: 1.0 Message-ID: <123b8573.12e8c.16436342a0b.Coremail.kelly@rsw-power.com> X-Coremail-Locale: zh_CN X-CM-TRANSID: auCowADX5JZ9UDJbMYUgAA--.3W X-CM-SenderInfo: xnhoz546uv4gpsrzv2oofrz/1tbifR1wElrpMw+8fAABsM X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU== Content-Type: text/plain; charset=GBK Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 14:54:57 -0000 RGVhciBNYW5hZ2VyLAoKCkdvb2QgZGF5IQoKCldlIGluZGVwZW5kZW50bHkgZGV2ZWxvcGVkIGEg aGFuZGhlbGQgaW5ramV0IHByaW50ZXIgd2l0aCBnb29kIHF1YWxpdHksIHdoaWNoIGlzIHdpZGVs eSB1c2VkIGFuZCBwb3B1bGFyIHRocm91Z2hvdXQgZGlmZmVyZW50IGNvdW50cmllcy4gSG9wZSB0 aGUgYmVsb3cgcHJvZHVjdCBjYW4gaGVscCB5b3Ugc2F2ZSB0aGUgY29zdHMuCgoKRm9sbG93aW5n IGlzIG9uZSBvZiBvdXIgbW9kZWw6Ckl0ZW06IEhhbmRoZWxkIElua2pldCBQcmludGVyIHdpdGgg U29sdmVudCBJbmsgKFF1aWNrIERyeSkKLSBXaXRoIDMuNSBpbmNoIHRvdWNoYWJsZSBzY3JlZW4g dGhhdCB5b3UgY2FuIGVkaXQgdGhlIGNvbnRlbnRzIGRpcmVjdGx5IHZpYSBzY3JlZW4gb3IgaW1w b3J0ZWQgdGhlIGNvbnRlbnRzIGZyb20gVS1kaXNrLgotIFBvcnRhYmxlLCBzaW1wbGUgaW50ZXJm YWNlIGFuZCBlYXN5IHRvIG9wZXJhdGUuCi0gSXQgY2FuIHByaW50IG9uIGRpZmZlcmVudCBraW5k cyBvZiBtYXRlcmlhbHMsIHN1Y2ggYXMgcGFwZXJzLCBjYXJ0b25zLCBwbGFzdGljcywgZ2xhc3Nl cywgd29vZHMsIHN0b25lcywgd2FsbHMsIHN0ZWVscyBwaXBlcywgbWV0YWxzLCBjYWJsZXMsIGZp bG0gbWF0ZXJpYWxzLCBldGMuCi0gSXQgY2FuIHByaW50IENoaW5lc2UsIEVuZ2xpc2ggbGV0dGVy cywgbnVtYmVycywgUVIgY29kZSwgc2NhbiBjb2RlLCBiYXJjb2RlLCBiYXRjaCBjb2RlLCBleHBp cnkgZGF0ZSwgdGltZSwgY291bnRlciwgc3ltYm9scywgbG9nbywgbWFya3MsIHNtYWxsIHBpY3R1 cmVzIGV0Yy4KLVdlIGhhdmUgbGFyZ2UgZGF0YSBzdG9yZSB1cCB0byAyMDAgbWVzc2FnZXMuCi1X ZSBoYXZlIGRpZmZlcmVudCBjb2xvcnMgaW5rOiBibGFjaywgcmVkLCBidWxlLHllbGxvdywgd2hp dGUgYW5kIGludmlzaWJsZSBVViBsaWdodCBpbmsuCiAgICAKQW55IGludGVyZXN0cyBwbGVhc2Ug Y29udGFjdCB1cyBmb3IgbW9yZSBpbmZvcm1hdGlvbi5XZSBjYW4gc2hvdyB5b3Ugb3VyIGJyb2No dXJlIGFuZCB2aWRlby4gU2FtcGxlIGFyZSBhdmFpbGFibGUsIHRvbyEKICAgICAgICAgICAgICAg ICAKVGhhbmtzIGFuZCBSZWdhcmRzLAotLQoKS2VsbHkgQ2hlbgpTYWxlcyBSZXByZXNlbnRhdGl2 ZQpTaGVuemhlbiBTd2Fyb25pa2kgVGVjaG5vbG9neSBDby4sIEx0ZC4gICAgICAgICAKTW9iaWxl ICYgV2hhdHNhcHA6ODYtMTMyNjY2ODU2NjkKU2t5cGU6IGtlbGx5XzMxNjcKV2ViOnd3dy5iZXNo ZW5ncHJpbnRlcnMuY29t From owner-freebsd-jail@freebsd.org Tue Jun 26 18:43:08 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6623A1010F1C; Tue, 26 Jun 2018 18:43:08 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gritton.org", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 05BBA7DD09; Tue, 26 Jun 2018 18:43:07 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) by gritton.org (8.15.2/8.15.2) with ESMTP id w5QIgqIK007004; Tue, 26 Jun 2018 12:42:52 -0600 (MDT) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 26 Jun 2018 12:42:52 -0600 From: James Gritton To: Eitan Adler Cc: bsd-lists@bsdforge.com, freebsd-jail@freebsd.org, freebsd-stable Stable Subject: Re: jail related inconsistencies in FreeBSD tools parameters In-Reply-To: References: <6dd9952452c73826a2f9c01612586bea@udns.ultimatedns.net> <18000a3b93085c91aeffbca937862786@freebsd.org> <51718e96f63175e997cb8268381d1070@freebsd.org> Message-ID: <8b11953ce292aff0bc60298e2e7613d6@freebsd.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.3.6 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 18:43:08 -0000 On 2018-06-23 12:58, Eitan Adler wrote: > On 23 June 2018 at 08:50, James Gritton wrote: >> On 2018-06-23 09:45, Eitan Adler wrote: >>> >>> On 23 June 2018 at 08:30, James Gritton wrote: >>>> >>>> On 2018-06-22 16:03, Miroslav Lachman wrote: >>>>> >>>>> >>>>> Chris H wrote on 2018/06/22 23:46: >>>>>> >>>>>> >>>>>> On Fri, 22 Jun 2018 23:13:17 +0200 "Miroslav Lachman" >>>>>> <000.fbsd@quip.cz> >>>>>> said >>>>>> >>>>>>> I don't know if it is better to discuss it in jail@ or stable@ >>>>>>> list so >>>>>>> a >>>>>>> do cross-post. >>>>>>> >>>>>>> FreeBSD has many jail aware utilities but they are inconsistent >>>>>>> in >>>>>>> taking JID as parameter. >>>>>>> >>>>>>> For example "sockstat" takes -j JID "Show only sockets belonging >>>>>>> to >>>>>>> the >>>>>>> specified jail ID" and it means numeric ID only. >>>>>>> On the other hand "ps" takes -J JID "This may be either the jid >>>>>>> or >>>>>>> name >>>>>>> of the jail. Use -J 0 to display only host processes." >>>>>>> The same apply for "top", it understands jid as a number or name >>>>>>> of >>>>>>> the >>>>>>> jail too. >>>>>>> Then again "cpuset" takes only numerical ID of the jail... >>>>>>> >>>>>>> Shouldn't it be consistent across all FreeBSD base utilities so >>>>>>> all of >>>>>>> them can use numerical ID and name? >>>>>> >>>>>> >>>>>> Good idea! Are you offering to create a patch? ;-) >>>>>> It'd be my guess that given they weren't all created at the same >>>>>> time, >>>>>> nor >>>>>> the same individual; that (quite probably?) the "jail" additions >>>>>> were >>>>>> also >>>>>> added at different times, and by different people. So I'd imagine >>>>>> that >>>>>> unless someone with a commit bit decides one day they'd like to >>>>>> take >>>>>> that >>>>>> on. Someone(tm) maybe you? will need to propose a patch. :-) >>>>> >>>>> >>>>> >>>>> If I can understand C sources I will create the patch by myself >>>>> instead of just posting here. Unfortunately I am able to code in >>>>> sh, >>>>> php and a bit of javascript and perl but no C. :) >>>>> >>>>> Miroslav Lachman >>>> >>>> >>>> >>>> Sure, a PR would be handy for this - it's a pretty simple thing to >>>> add, >>>> and >>>> consistency would indeed be a good move. >>> >>> >>> Agreed. I'll review and commit such patches. I'd like to see a single >>> function for taking a "id or name". Ideally it would live in a >>> library, perhaps libjail? >> >> >> It already lives there: jail_getid(3) > > I was thinking of a more generic one that does id or name. Now that I > think about it a bit more, C makes this kind of thing impossible to do > usefully. > > That said, I'll still review and commit any patches to existing tools > to make them behave consistently. Yes, jail_getid(3) works with either a numeric ID or a name. I've added a patch to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 for the four programs I've found that need help. I've tested the easy ones (cpuset and sockstat). - Jamie From owner-freebsd-jail@freebsd.org Tue Jun 26 19:14:28 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17FFA1012974; Tue, 26 Jun 2018 19:14:28 +0000 (UTC) (envelope-from SRS0=Ta0Z=JM=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A3CCB7F964; Tue, 26 Jun 2018 19:14:27 +0000 (UTC) (envelope-from SRS0=Ta0Z=JM=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 2166928416; Tue, 26 Jun 2018 21:14:26 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D530728412; Tue, 26 Jun 2018 21:14:24 +0200 (CEST) Subject: Re: jail related inconsistencies in FreeBSD tools parameters To: James Gritton , Eitan Adler Cc: freebsd-jail@freebsd.org, freebsd-stable Stable , bsd-lists@bsdforge.com References: <6dd9952452c73826a2f9c01612586bea@udns.ultimatedns.net> <18000a3b93085c91aeffbca937862786@freebsd.org> <51718e96f63175e997cb8268381d1070@freebsd.org> <8b11953ce292aff0bc60298e2e7613d6@freebsd.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <383af6fa-ae18-9126-de99-d642fe8407ae@quip.cz> Date: Tue, 26 Jun 2018 21:14:24 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <8b11953ce292aff0bc60298e2e7613d6@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 19:14:28 -0000 James Gritton wrote on 2018/06/26 20:42: > On 2018-06-23 12:58, Eitan Adler wrote: [...] >> I was thinking of a more generic one that does id or name. Now that I >> think about it a bit more, C makes this kind of thing impossible to do >> usefully. >> >> That said, I'll still review and commit any patches to existing tools >> to make them behave consistently. > > Yes, jail_getid(3) works with either a numeric ID or a name. > > I've added a patch to > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 for the four > programs I've found that need help.  I've tested the easy ones (cpuset > and sockstat). Thank you very much. I really appreciate your neverending work on jails! I hope it will be committed soon. Kind regards Miroslav Lachman From owner-freebsd-jail@freebsd.org Tue Jun 26 19:53:17 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D600A1015AB4; Tue, 26 Jun 2018 19:53:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A30D818AA; Tue, 26 Jun 2018 19:53:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id BFE7521881; Tue, 26 Jun 2018 12:53:08 -0700 (PDT) Date: Tue, 26 Jun 2018 12:53:08 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: Jailing {open,}ntpd Message-ID: MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 19:53:18 -0000 Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux container? Can it be done in such a way that a breached daemon would not have access to the host? Roger Marquis From owner-freebsd-jail@freebsd.org Tue Jun 26 20:48:03 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 636EC10198C5; Tue, 26 Jun 2018 20:48:03 +0000 (UTC) (envelope-from quake2k@mail.ru) Received: from f142.i.mail.ru (f142.i.mail.ru [128.140.171.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E6F9D8391B; Tue, 26 Jun 2018 20:48:02 +0000 (UTC) (envelope-from quake2k@mail.ru) Received: by f142.i.mail.ru with local (envelope-from ) id 1fXusS-0005ch-4P; Tue, 26 Jun 2018 23:47:52 +0300 Received: by e.mail.ru with HTTP; Tue, 26 Jun 2018 23:47:52 +0300 From: =?UTF-8?B?Sm9obiBGcmVlbWFu?= To: =?UTF-8?B?Um9nZXIgTWFycXVpcw==?= Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: =?UTF-8?B?UmU6IEphaWxpbmcge29wZW4sfW50cGQ=?= MIME-Version: 1.0 X-Mailer: Mail.Ru Mailer 1.0 Date: Tue, 26 Jun 2018 23:47:52 +0300 Reply-To: =?UTF-8?B?Sm9obiBGcmVlbWFu?= X-Priority: 3 (Normal) Message-ID: <1530046072.33630487@f142.i.mail.ru> X-7FA49CB5: 0D63561A33F958A5607D833A4F3E8130DB55D34F037F9F88499158D57AB6E856725E5C173C3A84C3B5B8538481347D6ADCDF4FDF8F3F1F276B0B6A749F1976AFC4224003CC836476C0CAF46E325F83A50BF2EBBBDD9D6B0F2AF38021CC9F462D574AF45C6390F7469DAA53EE0834AAEE X-Mailru-MI: 800 X-Mailru-Sender: D940E3D0A8BFF72F2CC58892244DB8AE86D1BA6436606C5ADC27E1392B4ADA8BE39FB3263DD3419ADF434FAF91264EB3346D653DC8F96EBFF1B10390766F31F2A81CC308ED5F28576113E6702025CDEB46E133BC73C3D8015FEEDEB644C299C0ED14614B50AE0675 X-Mras: OK X-Spam: undefined In-Reply-To: References: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 20:48:03 -0000 CldoeSBub3Qgd2l0aCBhY2NvcmRpbmcgZGV2ZnMgcnVsZXM/Cgo+0JLRgtC+0YDQvdC40LosIDI2 INC40Y7QvdGPIDIwMTgsIDIzOjAwICswMzowMCDQvtGCIFJvZ2VyIE1hcnF1aXMgPG1hcnF1aXNA cm9ibGUuY29tPjoKPgo+SGFzIGFueW9uZSBjb25maWd1cmVkIHtvcGVuLH1udHBkIHRvIHJ1biBp biBhIEZyZWVCU0QgamFpbCBvciBMaW51eAo+Y29udGFpbmVyPyAgQ2FuIGl0IGJlIGRvbmUgaW4g c3VjaCBhIHdheSB0aGF0IGEgYnJlYWNoZWQgZGFlbW9uIHdvdWxkCj5ub3QgaGF2ZSBhY2Nlc3Mg dG8gdGhlIGhvc3Q/Cj4KPlJvZ2VyIE1hcnF1aXMKPl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fCj5mcmVlYnNkLXNlY3VyaXR5QGZyZWVic2Qub3JnIG1haWxp bmcgbGlzdAo+aHR0cHM6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVi c2Qtc2VjdXJpdHkKPlRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICIgZnJlZWJzZC1z ZWN1cml0eS11bnN1YnNjcmliZUBmcmVlYnNkLm9yZyAiCgoK0KEg0YPQstCw0LbQtdC90LjQtdC8 LApKb2huIEZyZWVtYW4KcXVha2Uya0BtYWlsLnJ1Cg== From owner-freebsd-jail@freebsd.org Wed Jun 27 04:10:21 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D526102CD9A for ; Wed, 27 Jun 2018 04:10:21 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AE5F9921F5 for ; Wed, 27 Jun 2018 04:10:19 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id w5R3Hjuv047648 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 27 Jun 2018 13:17:45 +1000 (AEST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Jailing {open,}ntpd To: Roger Marquis , freebsd-jail@freebsd.org References: From: Dewayne Geraghty Message-ID: <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au> Date: Wed, 27 Jun 2018 13:17:46 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-AU X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jun 2018 04:10:21 -0000 Hi Roger, I have a similar mental state :) Yes, I run ports ntpd within a chroot environment.  ntpd can run within a jail, but it lacks the priv to perform a syscall to modify time.  Which is correct behaviour, for a restricted environment; protecting other jailed environs.  Previously there was also an mlock call, which prevented it running but that was changed a while ago; but that's an aside unless you're running on old "stuff". ;) As this is not a security issue, I've removed those interested in that area from the CC. There are a few tricks with chroot, but first a disclaimer: I use jails for everything except ntpd, so there may be a better way. Trick 1. This is how I want ntpd to run /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid but you can't pass arguments into chroot.  So I created a "/start" that I place my chroot commands into. Trick 2.  Use ldd to see what libs you need to copy into your chroot.  Also remember, that you must have ld-elf and /dev/null. So Using ROOTD as your chroot destination mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec  ; and setup dev   mkdir  $ROOTD/dev   touch $ROOTD/dev/null   chmod 666 $ROOTD/dev/null;   # Yes this is sufficient! The rest of the files are from the ntpd tarfile.  Enjoy ;) PS: ntpq wont report due to "servname not supported for ai_socktype"... no solution yet. From owner-freebsd-jail@freebsd.org Wed Jun 27 04:40:05 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2157C102E05F for ; Wed, 27 Jun 2018 04:40:05 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 32D8C935C2 for ; Wed, 27 Jun 2018 04:40:03 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id w5R4D1Ob096166 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 27 Jun 2018 14:13:01 +1000 (AEST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Jailing {open,}ntpd From: Dewayne Geraghty To: Roger Marquis , freebsd-jail@freebsd.org References: <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au> Message-ID: <3935aa1a-4b95-1c91-ffac-1d98ae718a9c@heuristicsystems.com.au> Date: Wed, 27 Jun 2018 14:13:02 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-AU X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jun 2018 04:40:05 -0000 On 27/06/2018 1:17 PM, Dewayne Geraghty wrote: > Hi Roger, I have a similar mental state :) > > Yes, I run ports ntpd within a chroot environment.  > > ntpd can run within a jail, but it lacks the priv to perform a syscall > to modify time.  Which is correct behaviour, for a restricted > environment; protecting other jailed environs.  Previously there was > also an mlock call, which prevented it running but that was changed a > while ago; but that's an aside unless you're running on old "stuff". ;) > > As this is not a security issue, I've removed those interested in that > area from the CC. > > There are a few tricks with chroot, but first a disclaimer: I use jails > for everything except ntpd, so there may be a better way. > > Trick 1. This is how I want ntpd to run > > /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid > > but you can't pass arguments into chroot.  So I created a "/start" that > I place my chroot commands into. > > Trick 2.  Use ldd to see what libs you need to copy into your chroot.  > Also remember, that you must have ld-elf and /dev/null. So > > Using ROOTD as your chroot destination > > mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec  ; > > and setup dev > >   mkdir  $ROOTD/dev >   touch $ROOTD/dev/null >   chmod 666 $ROOTD/dev/null;   # Yes this is sufficient! > > The rest of the files are from the ntpd tarfile.  Enjoy ;) > > PS: ntpq wont report due to "servname not supported for ai_socktype"... > no solution yet. > Oops.  Running on low memory. Roger, forget trick 1 above, we run our ntp via chroot /usr/chroot/ntp /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid and yes, "ntpq -np 127.0.0.1" works from the base system.  Tsk. From owner-freebsd-jail@freebsd.org Thu Jun 28 06:08:17 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A04A101E16E; Thu, 28 Jun 2018 06:08:17 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:201:2327:144:76:253:226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BB93A8BF47; Thu, 28 Jun 2018 06:08:16 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from [10.137.3.13] (nat2.hq.bornfiber.dk [185.96.91.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id F167DB9F2E0; Thu, 28 Jun 2018 06:08:13 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk F167DB9F2E0 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1530166094; bh=LGhdV/5kEalva5a1Ueogi78SspwjdbnXhBI9umOAvnY=; h=Subject:To:References:From:Date:In-Reply-To; b=H4rLJ5fwwni3IF80HODyH3Qp5qzLEgSYT1ObEFCt2WvOZpZuBI5qGvQeghT3AHcEw 9PL3doEY69nNEYCsY13/BILilHvT1zUxFbcB+GXiv5jHVgoeHQXYqDND+5lfxlrpl7 CJKFOzkgG7PmhkG7rOHahVU8kICX05tmapvXGiRdD2IGcInBRpihyESYQuRq3mhCJk SLmYRuBs3cCSfK06TglCT9bWKP05ve2Y1eiLGsXUpPNNpzC7sBHTvS2zsAGSXulvg7 0UAhIw6cGuM678votnJAmC4+4vFTmbY2PaaaYbjY03bA+j6Mem7ie6s278/i5rK0T0 iGRpS4qwcLjVA== Subject: Re: Jailing {open,}ntpd To: Roger Marquis , freebsd-security@freebsd.org, freebsd-jail@freebsd.org References: From: Thomas Steen Rasmussen Message-ID: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> Date: Thu, 28 Jun 2018 08:08:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 06:08:17 -0000 On 06/26/2018 09:53 PM, Roger Marquis wrote: > Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux > container?  Can it be done in such a way that a breached daemon would > not have access to the host? > > Roger Marquis Hello, TL;DR: +1 I've been wondering about the same thing. Anything that speaks to untrusted network clients belongs in a jail, but to my knowledge both ntpds are unjailable because they want to use some kernel system calls (to adjust time) which are not allowed in jails (as it should be). In my opinion adjusting the local bios/cmos clock and keeping it in sync with some upstream NTP source is a different task than serving NTP to untrusted network clients (like an ISP is expected to do). I'd love for one or both ntpds to have an option to only serve local time, without attempting to adjust the clock, if such a feature is possible. I'd then keep an ntpd running in the base system which takes care of keeping the system clock in-sync, and another in a jail which only reads the time and serves it to network clients, but doesn't try to adjust or speak to upsteam NTPs. I will be watching this thread hoping that someone who knows about NTP will chime in. Thanks! Best regards, Thomas Steen Rasmussen From owner-freebsd-jail@freebsd.org Thu Jun 28 12:02:13 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9C47102FB1F; Thu, 28 Jun 2018 12:02:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8AECC78815; Thu, 28 Jun 2018 12:02:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (c-73-240-250-185.hsd1.or.comcast.net [73.240.250.185]) by echo.brtsvcs.net (Postfix) with ESMTPS id 7401038D07; Thu, 28 Jun 2018 05:02:11 -0700 (PDT) Received: from [IPv6:fe80::7102:4df8:1f13:5c55] (unknown [IPv6:fe80::7102:4df8:1f13:5c55]) by chombo.houseloki.net (Postfix) with ESMTPSA id 1E099274E; Thu, 28 Jun 2018 05:02:10 -0700 (PDT) Subject: Re: Jailing {open,}ntpd To: Thomas Steen Rasmussen , Roger Marquis , freebsd-security@freebsd.org, freebsd-jail@freebsd.org References: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> From: Mel Pilgrim Message-ID: <5d28bb01-85e2-f08e-1bc8-865148c3cf9e@bluerosetech.com> Date: Thu, 28 Jun 2018 05:02:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 12:02:13 -0000 On 06/27/2018 23:08, Thomas Steen Rasmussen wrote: > Anything that speaks to untrusted network clients belongs in a jail, but > to my knowledge both ntpds are unjailable because they want to use some > kernel system calls (to adjust time) which are not allowed in jails (as > it should be). > > In my opinion adjusting the local bios/cmos clock and keeping it in sync > with some upstream NTP source is a different task than serving NTP to > untrusted network clients (like an ISP is expected to do). > > I'd love for one or both ntpds to have an option to only serve local > time, without attempting to adjust the clock, if such a feature is > possible. > > I'd then keep an ntpd running in the base system which takes care of > keeping the system clock in-sync, and another in a jail which only reads > the time and serves it to network clients, but doesn't try to adjust or > speak to upsteam NTPs. You can do this by configuring the jailed ntpd with the local clock driver as a reference. Doing this for an ntpd serving the general public would be evil. NTP Pool Project membership prohibits using the local clock driver. If your priority is something with a better security profile than an ISC daemon, run OpenNTPD instead. For the ISC ntpd, configure a reference clock with a server line that has a magic number 127.127.0.0/16 address. The "Reference Clock Support" section of ntp.conf(5) has more details. The local clock is type 1. OpenNTPD does not have reference clock support.