From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 11:06:56 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA89E1065682 for ; Mon, 22 Sep 2008 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9A7AF8FC1C for ; Mon, 22 Sep 2008 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8MB6ubV015415 for ; Mon, 22 Sep 2008 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8MB6tOx015411 for freebsd-jail@FreeBSD.org; Mon, 22 Sep 2008 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Sep 2008 11:06:55 GMT Message-Id: <200809221106.m8MB6tOx015411@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 11:06:56 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 14:04:53 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07ABD106564A for ; Mon, 22 Sep 2008 14:04:53 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id AB5FD8FC19 for ; Mon, 22 Sep 2008 14:04:52 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from tdream.lly.earlham.edu ([10.159.28.9]) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id m8MDmw51022109 for ; Mon, 22 Sep 2008 09:48:58 -0400 (EDT) X-Authentication-Warning: sipala.earlham.edu: Host [10.159.28.9] claimed to be tdream.lly.earlham.edu Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by tdream.lly.earlham.edu (Postfix) with ESMTP id DA56821F8B4 for ; Mon, 22 Sep 2008 09:49:24 -0400 (EDT) Date: Mon, 22 Sep 2008 09:49:24 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@tdream.lly.earlham.edu To: freebsd-jail@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 14:04:53 -0000 Heya, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. This is fbsd 7.1-prerelease, the jail's name is spectro. On the parent: Root Dude ? df -h|egrep data /dev/da0s1d 1.3T 2.9G 1.2T 0% /usr/local/jails/spectro/data Root Dude ? cat /etc/fstab.spectro /usr/local/jails/basejail /usr/local/jails/spectro/basejail nullfs ro 0 0 /dev/da0s1d /usr/local/jails/spectro/data ufs rw 1 1 in the jail: Dude ? df -h Filesystem Size Used Avail Capacity Mounted on /dev/mirror/gm0s1e 178G 43G 121G 26% / Root Dude ? dmesg|egrep da0 da0 at iscsi0 bus 0 target 0 lun 0 da0: Fixed Direct Ac Root Dude ? cd /data Root Dude ? ls -l total 5830386 drwxrwxr-x 2 root operator 512 Sep 19 17:52 .snap -rw-r----- 1 root wheel 5967380480 Sep 22 09:44 all.5 Root Dude ? touch test Root Dude ? ls -l total 5836930 drwxrwxr-x 2 root operator 512 Sep 19 17:52 .snap -rw-r----- 1 root wheel 5974065152 Sep 22 09:45 all.5 -rw-r--r-- 1 root wheel 0 Sep 22 09:44 test Root Dude ? iostat 1 tty ad4 ad6 da0 cpu tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 0 5 33.42 4 0.12 33.43 4 0.12 62.62 2 0.11 0 0 0 0 100 0 232 64.00 6 0.37 64.00 4 0.25 58.95 19 1.09 0 0 0 0 100 0 78 60.57 14 0.83 61.00 16 0.95 53.09 22 1.14 0 0 0 0 100 ^C So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 15:55:08 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68F721065670 for ; Mon, 22 Sep 2008 15:55:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 271048FC08 for ; Mon, 22 Sep 2008 15:55:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 1D4D541C6A3; Mon, 22 Sep 2008 17:55:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id lv54IDX719vM; Mon, 22 Sep 2008 17:55:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id BF37541C69F; Mon, 22 Sep 2008 17:55:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id A53E244487F; Mon, 22 Sep 2008 15:52:43 +0000 (UTC) Date: Mon, 22 Sep 2008 15:52:43 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Randy Schultz In-Reply-To: Message-ID: <20080922155111.T65801@maildrop.int.zabbadoz.net> References: X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 15:55:08 -0000 On Mon, 22 Sep 2008, Randy Schultz wrote: Hi, > I'm mounting some iSCSI storage in a jail. It's mounting in the jail via > fstab.. When the jail is up and I'm logged into the jail I can cd > to the mount point, r/w etc., everything seems to work. What's weird tho' > is, > while a df on the parent shows the partion mounted as expected, a df inside > the jail shows the local disk but not the iSCSI mount. > ... > So, my first question is what am I missing, the second is does mounting > things > this way into a jail pose any sort of risk for escaping the jail? Does anything change if you do a sysctl security.jail.enforce_statfs=1 If that's what you want you can add the following lines to /etc/sysctl.conf in the base system so it is automatically set upon boot: # jails security.jail.enforce_statfs=1 /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 16:25:40 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F5321065677 for ; Mon, 22 Sep 2008 16:25:40 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id 669DC8FC3C for ; Mon, 22 Sep 2008 16:25:40 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from tdream.lly.earlham.edu ([10.159.28.9]) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id m8MGPb7k028695 for ; Mon, 22 Sep 2008 12:25:37 -0400 (EDT) X-Authentication-Warning: sipala.earlham.edu: Host [10.159.28.9] claimed to be tdream.lly.earlham.edu Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by tdream.lly.earlham.edu (Postfix) with ESMTP id 4246821F8B4 for ; Mon, 22 Sep 2008 12:26:04 -0400 (EDT) Date: Mon, 22 Sep 2008 12:26:04 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@tdream.lly.earlham.edu To: freebsd-jail@freebsd.org In-Reply-To: <20080922155111.T65801@maildrop.int.zabbadoz.net> Message-ID: References: <20080922155111.T65801@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 16:25:40 -0000 On Mon, 22 Sep 2008, Bjoern A. Zeeb spaketh thusly: -}On Mon, 22 Sep 2008, Randy Schultz wrote: -} -}Hi, -} -}> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via -}> fstab.. When the jail is up and I'm logged into the jail I can cd -}> to the mount point, r/w etc., everything seems to work. What's weird tho' -}> is, -}> while a df on the parent shows the partion mounted as expected, a df inside -}> the jail shows the local disk but not the iSCSI mount. -}> ... -}> So, my first question is what am I missing, the second is does mounting -}> things -}> this way into a jail pose any sort of risk for escaping the jail? -} -}Does anything change if you do a -} sysctl security.jail.enforce_statfs=1 Arg. I never thought to check for a sysctl option. Indeed it does. Tnx much for the poke. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 19:14:14 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C64461065673 for ; Mon, 22 Sep 2008 19:14:14 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 802928FC0C for ; Mon, 22 Sep 2008 19:14:14 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4F99D19E02A; Mon, 22 Sep 2008 21:14:13 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 27B8619E027; Mon, 22 Sep 2008 21:14:11 +0200 (CEST) Message-ID: <48D7EEA3.4040504@quip.cz> Date: Mon, 22 Sep 2008 21:14:43 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <20080922155111.T65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080922155111.T65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 19:14:14 -0000 Bjoern A. Zeeb wrote: > On Mon, 22 Sep 2008, Randy Schultz wrote: > > Hi, > >> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via >> fstab.. When the jail is up and I'm logged into the jail I >> can cd >> to the mount point, r/w etc., everything seems to work. What's weird >> tho' is, >> while a df on the parent shows the partion mounted as expected, a df >> inside >> the jail shows the local disk but not the iSCSI mount. >> ... >> So, my first question is what am I missing, the second is does >> mounting things >> this way into a jail pose any sort of risk for escaping the jail? > > > Does anything change if you do a > sysctl security.jail.enforce_statfs=1 > > If that's what you want you can add the following lines to > /etc/sysctl.conf in the base system so it is automatically set upon > boot: > > # jails > security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 20:10:46 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5256106564A for ; Mon, 22 Sep 2008 20:10:46 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 8FB8B8FC0A for ; Mon, 22 Sep 2008 20:10:46 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from 68-189-244-97.dhcp.oxfr.ma.charter.com ([68.189.244.97] helo=Gregory-Larkins-Computer.local) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KhrRh-000Jia-Jk; Mon, 22 Sep 2008 15:51:46 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by Gregory-Larkins-Computer.local (Postfix) with ESMTP id D30352521CDF; Mon, 22 Sep 2008 15:51:45 -0400 (EDT) Message-ID: <48D7F756.9040704@FreeBSD.org> Date: Mon, 22 Sep 2008 15:51:50 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> In-Reply-To: <48D7EEA3.4040504@quip.cz> X-Enigmail-Version: 0.95.7 OpenPGP: id=1C940290 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.3 (-) Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 20:10:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miroslav Lachman wrote: > Bjoern A. Zeeb wrote: >> On Mon, 22 Sep 2008, Randy Schultz wrote: >> >> Hi, >> >>> I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>> via >>> fstab.. When the jail is up and I'm logged into the jail I >>> can cd >>> to the mount point, r/w etc., everything seems to work. What's weird >>> tho' is, >>> while a df on the parent shows the partion mounted as expected, a df >>> inside >>> the jail shows the local disk but not the iSCSI mount. >>> ... >>> So, my first question is what am I missing, the second is does >>> mounting things >>> this way into a jail pose any sort of risk for escaping the jail? >> >> >> Does anything change if you do a >> sysctl security.jail.enforce_statfs=1 >> >> If that's what you want you can add the following lines to >> /etc/sysctl.conf in the base system so it is automatically set upon >> boot: >> >> # jails >> security.jail.enforce_statfs=1 > > Have this any impact on security? > > # sysctl -d security.jail.enforce_statfs > security.jail.enforce_statfs: Processes in jail cannot see all mounted > file systems > > For what this sysctl is implemented? > > Thanks > > Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI1/dW0sRouByUApARAn8jAKC7BV/WcYK9jD0u8rT78dKpUxxKTgCeKu5v 6Z1BxjUUhlNPeszk+JCNDOg= =ja/n -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 21:18:50 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D85A1106566B for ; Mon, 22 Sep 2008 21:18:50 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8E0A78FC16 for ; Mon, 22 Sep 2008 21:18:50 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 7F54419E02A; Mon, 22 Sep 2008 23:18:49 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 05F0419E027; Mon, 22 Sep 2008 23:18:43 +0200 (CEST) Message-ID: <48D80BD4.8050505@quip.cz> Date: Mon, 22 Sep 2008 23:19:16 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: glarkin@FreeBSD.org References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> <48D7F756.9040704@FreeBSD.org> In-Reply-To: <48D7F756.9040704@FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 21:18:50 -0000 Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Miroslav Lachman wrote: > >>Bjoern A. Zeeb wrote: >> >>>On Mon, 22 Sep 2008, Randy Schultz wrote: >>> >>>Hi, >>> >>> >>>>I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>>>via >>>>fstab.. When the jail is up and I'm logged into the jail I >>>>can cd >>>>to the mount point, r/w etc., everything seems to work. What's weird >>>>tho' is, >>>>while a df on the parent shows the partion mounted as expected, a df >>>>inside >>>>the jail shows the local disk but not the iSCSI mount. >>>>... >>>>So, my first question is what am I missing, the second is does >>>>mounting things >>>>this way into a jail pose any sort of risk for escaping the jail? >>> >>> >>>Does anything change if you do a >>> sysctl security.jail.enforce_statfs=1 >>> >>>If that's what you want you can add the following lines to >>>/etc/sysctl.conf in the base system so it is automatically set upon >>>boot: >>> >>># jails >>>security.jail.enforce_statfs=1 >> >>Have this any impact on security? >> >># sysctl -d security.jail.enforce_statfs >>security.jail.enforce_statfs: Processes in jail cannot see all mounted >>file systems >> >>For what this sysctl is implemented? >> >>Thanks >> >>Miroslav Lachman > > > Hi Miroslav, > > - From the jail(8) man page: > > security.jail.enforce_statfs > > This MIB entry determines which information processes in a jail are > able to get about mount-points. It affects the behaviour of the > following syscalls: statfs(2), fstatfs(2), getfsstat(2) and > fhstatfs(2) (as well as similar compatibility syscalls). When set > to 0, all mount-points are available without any restrictions. When > set to 1, only mount-points below the jail's chroot directory are > visible. In addition to that, the path to the jail's chroot direc- > tory is removed from the front of their pathnames. When set to 2 > (default), above syscalls can operate only on a mount-point where > the jail's chroot directory is located. > > Hope that helps, > Greg Thank you, I forgot to open jail(8) man page before posting :) If I understand it correct - it is just about what informations (about mountpoints) are visible to processes inside jail without any security impact and it is safe to use security.jail.enforce_statfs=1. Am I right? (I am sorry for maybe dump questions, but I am not kernel/OS developer and statfs, fstatfs, getfsstat did not tell me much) Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 22:22:23 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED1FE1065673 for ; Mon, 22 Sep 2008 22:22:23 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id C69238FC13 for ; Mon, 22 Sep 2008 22:22:23 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from 68-189-244-97.dhcp.oxfr.ma.charter.com ([68.189.244.97] helo=Gregory-Larkins-Computer.local) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KhtnR-000Ld9-43; Mon, 22 Sep 2008 18:22:22 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by Gregory-Larkins-Computer.local (Postfix) with ESMTP id EA4692522ED4; Mon, 22 Sep 2008 18:22:20 -0400 (EDT) Message-ID: <48D81AA0.6030605@FreeBSD.org> Date: Mon, 22 Sep 2008 18:22:24 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> <48D7F756.9040704@FreeBSD.org> <48D80BD4.8050505@quip.cz> In-Reply-To: <48D80BD4.8050505@quip.cz> X-Enigmail-Version: 0.95.7 OpenPGP: id=1C940290 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.3 (-) Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 22:22:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miroslav Lachman wrote: > Greg Larkin wrote: [...] >> >> >> Hi Miroslav, >> >> - From the jail(8) man page: >> >> security.jail.enforce_statfs >> >> This MIB entry determines which information processes in a jail are >> able to get about mount-points. It affects the behaviour of the >> following syscalls: statfs(2), fstatfs(2), getfsstat(2) and >> fhstatfs(2) (as well as similar compatibility syscalls). When set >> to 0, all mount-points are available without any restrictions. When >> set to 1, only mount-points below the jail's chroot directory are >> visible. In addition to that, the path to the jail's chroot direc- >> tory is removed from the front of their pathnames. When set to 2 >> (default), above syscalls can operate only on a mount-point where >> the jail's chroot directory is located. >> >> Hope that helps, >> Greg > > Thank you, I forgot to open jail(8) man page before posting :) > If I understand it correct - it is just about what informations (about > mountpoints) are visible to processes inside jail without any security > impact and it is safe to use security.jail.enforce_statfs=1. Am I right? > (I am sorry for maybe dump questions, but I am not kernel/OS developer > and statfs, fstatfs, getfsstat did not tell me much) > No worries - I did a little experiment with a jail I have running to show you what the jail can see for different settings of the sysctl: - ---> enforce_statfs=2 (default) [glarkin@r90-3 ~]$ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da1s1d 8119416 6401772 1068092 86% / - ---> enforce_statfs=1 [glarkin@r90-3 ~]$ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da1s1d 8119416 6401772 1068092 86% / devfs 1 1 0 100% /dev procfs 4 4 0 100% /proc - ---> enforce_statfs=0 [glarkin@r90-3 ~]$ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da0s1a 507630 46858 420162 10% / devfs 1 1 0 100% /dev /dev/da0s1e 444142 91984 316628 23% /tmp /dev/da0s1g 5074328 985860 3682522 21% /usr /dev/da0s1d 63214 20352 37806 35% /usr/home /dev/da0s1f 1012974 280278 651660 30% /var /dev/da1s1d 8119416 6401772 1068092 86% /SHN /dev/da3s1d 2025328 1128128 735174 61% /usr/ports /dev/da2s1d 2025328 444708 1418594 24% /usr/src devfs 1 1 0 100% /var/named/dev devfs 1 1 0 100% /SHN/Jails/Jail3/dev procfs 4 4 0 100% /SHN/Jails/Jail3/proc It looks like setting 1 or 2 is sufficient for programs executing in the jail. If the sysctl is set to 0, you can see the filesystems on the host server, but you still can't access them, as far as I can tell. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI2Bqg0sRouByUApARAgEMAJwLD3pvD66vwnSIPst+Xnir5UYDhACgoNat +WeCH3jD8R3lxvYoX3xYwnE= =i8Rd -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Tue Sep 23 11:50:07 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCFD71065670 for ; Tue, 23 Sep 2008 11:50:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 78F318FC12 for ; Tue, 23 Sep 2008 11:50:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id C2C0C41C648 for ; Tue, 23 Sep 2008 13:50:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id wASDjVYbVhAS for ; Tue, 23 Sep 2008 13:50:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 710B541C647; Tue, 23 Sep 2008 13:50:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id BC4BA44487F for ; Tue, 23 Sep 2008 11:48:49 +0000 (UTC) Date: Tue, 23 Sep 2008 11:48:49 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-jail@freebsd.org In-Reply-To: <20080919174810.K65801@maildrop.int.zabbadoz.net> Message-ID: <20080923114731.G65801@maildrop.int.zabbadoz.net> References: <20080919174810.K65801@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: multi-/no-ipv4/6 patch for releng_7 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 11:50:07 -0000 On Sat, 20 Sep 2008, Bjoern A. Zeeb wrote: Hi, > here's a new patch for RELENG_7. In contrast to before I have NOT > TESTED this patch THOROUGHLY. FYI: I know production machines with ipv4/ipv6 jails that have been up for two days running this patch. > In case you find any problem let me know and I might be able to fix > it (quickly) and post a new patch (if your bugreport is good:). > > Changes since last release (same as for HEAD): > - SCTP enabled (again) for IPv4 and on for v6 as well. Might need > another pari of eyes or someone to write regression tests. > - jls -a/-v implemented/documented -- output format has changed. > - updated ipv4 source address selection (changes semantics, please > test/review carefully) > - minor cleanup > > Please report anything you want/that need sto be/... changed/fixed/... > > Ah the patch is here: > http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff > > /bz > > -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-jail@FreeBSD.ORG Wed Sep 24 18:35:08 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20EF1106564A; Wed, 24 Sep 2008 18:35:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 800548FC0A; Wed, 24 Sep 2008 18:35:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9E5D741C6A1; Wed, 24 Sep 2008 20:35:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 68Hr5puIo3dh; Wed, 24 Sep 2008 20:35:04 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id E149241C690; Wed, 24 Sep 2008 20:35:04 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 41CBB44487F; Wed, 24 Sep 2008 18:34:54 +0000 (UTC) Date: Wed, 24 Sep 2008 18:34:53 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Ruslan Ermilov In-Reply-To: <200809241525.m8OFPifi095256@repoman.freebsd.org> Message-ID: <20080924181315.S65801@maildrop.int.zabbadoz.net> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, freebsd-jail@FreeBSD.org Subject: Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2008 18:35:08 -0000 On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > ru 2008-09-24 15:18:27 UTC > > FreeBSD src repository > > Modified files: > etc/rc.d jail > share/man/man5 rc.conf.5 > Log: > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > Allow a jail's IP alias to be created with an arbitrary netmask. So I had been talking with various people during the last weeks/months about this feature of configuring an interface from rc.d/jail and I had been >< close to remove it a lot of times but it seems people prefer to actually mix network configuration, management and jail startup/teardown in a single script, which I think is a very questionable thing especially considering that we already had an SA for[1] that script for other means. So you now I have v4/v6/multi/no-IP jails and once the next vimage step is in I plan to have it hit the tree and I am currently integrating a patch that would even have allow the ifconfig to work with multiple IPv4/v6 addresses because up to now I decided to leave this feature in. Now adding a netmask only makes sense for exactly one use case to my understanding and this is not going to play well with whatever will hit the tree. Adding yet another variable to rc.conf to control another question knob is something, as I hate to say, I am no longer going to be ok with (this has nothhing to do with you or that it might be needed in a setup). My suggestion would be, that if we want thos features to add them separately doing a superset of the startup script or something just for this and actualy use network.subr or the like to set it up but keep the list of IP/Netmasks kind of separated from options for the jail(8) command. In worst case stomething like this (read the BUT later) and have a jail_example_ipv4_alias0="192.0.2.1/24" jail_example_ipv4_alias1="192.0.2.2/32" jail_example_ipv4_alias2="192.0.2.2 netmask 255.255.255.255" jail_example_ipv6_alias0="2001:dbe::1" jail_example_ipv6_alias1="2001:dbe::2/128" and then have a single knob jail_example_configure_ips_on_interfaces="NO" and still use the above list create the jail(8) argument if you want it like that. BUT wait the above is not going to work out as I am missing the interface for each alias instance. We need a full interface X af X address X netmask tupple with each entry and a defined order per AF as the first IP will be specially treated. That's why I am saying networking is networking and jails are jails and to combine both you need a management app/script/... as it is too many options/knobs/... FYI for the multi-IP jails (without this feature) I didn't even have to think about the startup script as it would just have continued to work. Adding no-IP support I had to change an exit case to _foo="\"\"" in rc.d/jail. With supporting the ifconfig you need to a a few more lines. With the netmasks I still have no idea where we'll end up. I suggest we once and for all discuss this on freebsd-jail, decide how to continue with this feature. I am Cc:ing and setting Reply-to: > MFC after: 3 days I would kindly ask you to hold back an MFC into 7 until there is a conclusion. > > Revision Changes Path > 1.40 +3 -1 src/etc/rc.d/jail > 1.348 +7 -1 src/share/man/man5/rc.conf.5 > References: [1] http://security.freebsd.org/advisories/FreeBSD-SA-07:01.jail.asc -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-jail@FreeBSD.ORG Thu Sep 25 06:00:22 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83697106568F; Thu, 25 Sep 2008 06:00:22 +0000 (UTC) (envelope-from ru@freebsd.org) Received: from mail.vega.ru (infra.dev.vega.ru [90.156.167.14]) by mx1.freebsd.org (Postfix) with ESMTP id 2B8A18FC14; Thu, 25 Sep 2008 06:00:20 +0000 (UTC) (envelope-from ru@freebsd.org) Received: from [87.242.97.68] (port=54512 helo=edoofus.dev.vega.ru) by mail.vega.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1KijGu-0004Xs-Kr; Thu, 25 Sep 2008 05:20:12 +0000 Date: Thu, 25 Sep 2008 09:20:04 +0400 From: Ruslan Ermilov To: freebsd-jail@freebsd.org Message-ID: <20080925052004.GB76968@edoofus.dev.vega.ru> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080924181315.S65801@maildrop.int.zabbadoz.net> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2008 06:00:22 -0000 Hi Bjoern, On Wed, Sep 24, 2008 at 06:34:53PM +0000, Bjoern A. Zeeb wrote: > On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > > > ru 2008-09-24 15:18:27 UTC > > > > FreeBSD src repository > > > > Modified files: > > etc/rc.d jail > > share/man/man5 rc.conf.5 > > Log: > > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > > > Allow a jail's IP alias to be created with an arbitrary netmask. > > So I had been talking with various people during the last weeks/months > about this feature of configuring an interface from rc.d/jail and I > had been >< close to remove it a lot of times but it seems people > prefer to actually mix network configuration, management and jail > startup/teardown in a single script, which I think is a very > questionable thing especially considering that we already had an > SA for[1] that script for other means. > > So you now I have v4/v6/multi/no-IP jails and once the next vimage > step is in I plan to have it hit the tree and I am currently > integrating a patch that would even have allow the ifconfig to work with > multiple IPv4/v6 addresses because up to now I decided to leave this > feature in. > > Now adding a netmask only makes sense for exactly one use case to my > understanding and this is not going to play well with whatever will > hit the tree. > At work, we use ezjail as a management tool for jails. We want our jails to be moveable between a set of hosts, so a jail's IP doesn't necessarily belong to host X at any given time. With the netmask in rc.d/jail hardcoded to 255.255.255.255, we have to configure a host's interface with IP addresses/netmasks corresponding to jails' IPs (and we have different IP networks). In practice this means we waste real IPs for nothing -- for a host with a single jail we waste one real IP address. To picture it: on a host that's not otherwise configured with 192.168.0 addresses, to up a jail with 192.168.0.13 we have to waste one more address from 192.168.0, e.g. 192.168.0.1, for the host to be able to route packets between 192.168.0.13 and 192.168.0.*. > Adding yet another variable to rc.conf to control another question > knob is something, as I hate to say, I am no longer going to be ok > with (this has nothhing to do with you or that it might be needed in a > setup). > > My suggestion would be, that if we want thos features to add > them separately doing a superset of the startup script or something > just for this and actualy use network.subr or the like to set it up > but keep the list of IP/Netmasks kind of separated from options for > the jail(8) command. > > In worst case stomething like this (read the BUT later) and have a > jail_example_ipv4_alias0="192.0.2.1/24" > jail_example_ipv4_alias1="192.0.2.2/32" > jail_example_ipv4_alias2="192.0.2.2 netmask 255.255.255.255" > jail_example_ipv6_alias0="2001:dbe::1" > jail_example_ipv6_alias1="2001:dbe::2/128" > and then have a single knob > jail_example_configure_ips_on_interfaces="NO" > and still use the above list create the jail(8) argument if you want > it like that. > > BUT wait the above is not going to work out as I am missing the > interface for each alias instance. > We need a full interface X af X address X netmask tupple with each > entry and a defined order per AF as the first IP will be specially > treated. > > That's why I am saying networking is networking and jails are jails > and to combine both you need a management app/script/... as it is > too many options/knobs/... > > FYI for the multi-IP jails (without this feature) I didn't even have > to think about the startup script as it would just have continued to > work. Adding no-IP support I had to change an exit case to _foo="\"\"" > in rc.d/jail. > > With supporting the ifconfig you need to a a few more lines. > > With the netmasks I still have no idea where we'll end up. > > I suggest we once and for all discuss this on freebsd-jail, decide > how to continue with this feature. I am Cc:ing and setting Reply-to: > > > MFC after: 3 days > > I would kindly ask you to hold back an MFC into 7 until there is a > conclusion. > I'd be happy with anything that allowed us NOT to waste IP addresses, preferably in FreeBSD 7.1. I have a solution that involves having static routes (in the example above, I'd add a route to 192.168.0/24 over some Ethernet interface that's equivalent to saying to resolve these IPs using ARP on this interface), but it's not ideal as I don't want these addresses to be accessible/resolvable when a host doesn't have configured IPs in this range. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer From owner-freebsd-jail@FreeBSD.ORG Thu Sep 25 20:56:00 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D11A3106568C; Thu, 25 Sep 2008 20:56:00 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 85DBD8FC1D; Thu, 25 Sep 2008 20:56:00 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3]) by mx.nitro.dk (Postfix) with ESMTP id D11B71E8C2F; Thu, 25 Sep 2008 20:55:59 +0000 (UTC) Received: by arthur.nitro.dk (Postfix, from userid 1000) id BCF755E1A; Thu, 25 Sep 2008 22:55:59 +0200 (CEST) Date: Thu, 25 Sep 2008 22:55:59 +0200 From: "Simon L. Nielsen" To: Ruslan Ermilov Message-ID: <20080925205558.GA1114@arthur.nitro.dk> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> <20080925052004.GB76968@edoofus.dev.vega.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080925052004.GB76968@edoofus.dev.vega.ru> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: cvs-src@freebsd.org, freebsd-jail@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ruslan Ermilov , "Simon L. Nielsen" , freebsd-jail@freebsd.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2008 20:56:01 -0000 [Trying to moving off commit lists] On 2008.09.25 09:20:04 +0400, Ruslan Ermilov wrote: > Hi Bjoern, > > On Wed, Sep 24, 2008 at 06:34:53PM +0000, Bjoern A. Zeeb wrote: > > On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > > > > > ru 2008-09-24 15:18:27 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: > > > etc/rc.d jail > > > share/man/man5 rc.conf.5 > > > Log: > > > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > > > > > Allow a jail's IP alias to be created with an arbitrary netmask. > > > > So I had been talking with various people during the last weeks/months > > about this feature of configuring an interface from rc.d/jail and I > > had been >< close to remove it a lot of times but it seems people > > prefer to actually mix network configuration, management and jail > > startup/teardown in a single script, which I think is a very > > questionable thing especially considering that we already had an > > SA for[1] that script for other means. > > > At work, we use ezjail as a management tool for jails. We want our [...] I think the main problem is that the configuration required for jails "today" is simply too much for what should be done in an rc.d script configured by rc.conf. At the Cambridge Devsummit we talked about creating some kind of more advanced jail management system and I think that is the way to go in the long run and kill off rc.d/jail. Of course doing this is no small task, but I think adding kludges to rc.conf is going to be increasingly painful. I'm not sure what form a management system should take, but having ezjail like functionality in base would be a good thing IMO. Personally I also have a rather strong dislike for the jail auto ip setting feature, but as people are using it removing the functionality will cause pain. -- Simon L. Nielsen From owner-freebsd-jail@FreeBSD.ORG Fri Sep 26 00:14:16 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F36B1065699 for ; Fri, 26 Sep 2008 00:14:16 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from mail.tnode.com (common.tnode.com [91.185.203.243]) by mx1.freebsd.org (Postfix) with ESMTP id 193A78FC13 for ; Fri, 26 Sep 2008 00:14:15 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (mail.jail [10.1.1.10]) by mail.tnode.com (Postfix) with ESMTP id 229BE21FC589; Fri, 26 Sep 2008 01:58:30 +0200 (CEST) Received: from mail.tnode.com ([10.1.1.10]) by localhost (mail.tnode.com [10.1.1.10]) (amavisd-maia, port 10024) with ESMTP id 82391-09; Fri, 26 Sep 2008 01:58:29 +0200 (CEST) Received: from [192.168.15.2] (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejc@skoberne.net) by mail.tnode.com (Postfix) with ESMTPSA id 4F3DB21FC3EA; Fri, 26 Sep 2008 01:58:29 +0200 (CEST) Message-ID: <48DC25A5.3010109@skoberne.net> Date: Fri, 26 Sep 2008 01:58:29 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: "Bjoern A. Zeeb" X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: freebsd-jail@freebsd.org Subject: Re: multi-/no-ipv4/6 patch for releng_7 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2008 00:14:16 -0000 Hello, does this patch maybe also allow services in jail to listen at broadcast addresses? If not, do you maybe know is there any way to achieve this? Thanks, Nejc From owner-freebsd-jail@FreeBSD.ORG Fri Sep 26 05:33:51 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8A78106568A for ; Fri, 26 Sep 2008 05:33:51 +0000 (UTC) (envelope-from ru@FreeBSD.org) Received: from mail.vega.ru (infra.dev.vega.ru [90.156.167.14]) by mx1.freebsd.org (Postfix) with ESMTP id 5F49B8FC1C for ; Fri, 26 Sep 2008 05:33:50 +0000 (UTC) (envelope-from ru@FreeBSD.org) Received: from [87.242.97.68] (port=53231 helo=edoofus.dev.vega.ru) by mail.vega.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1Kj5xc-000CFI-Se; Fri, 26 Sep 2008 05:33:48 +0000 Date: Fri, 26 Sep 2008 09:33:40 +0400 From: Ruslan Ermilov To: "Simon L. Nielsen" , freebsd-jail@FreeBSD.org Message-ID: <20080926053340.GA84495@edoofus.dev.vega.ru> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> <20080925052004.GB76968@edoofus.dev.vega.ru> <20080925205558.GA1114@arthur.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080925205558.GA1114@arthur.nitro.dk> Cc: Subject: Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2008 05:33:51 -0000 On Thu, Sep 25, 2008 at 10:55:59PM +0200, Simon L. Nielsen wrote: > Personally I also have a rather strong dislike for the jail auto ip > setting feature, but as people are using it removing the functionality > will cause pain. > It's quite normal that the jail's IP migrates with the jail itself, including not having an IP address configured if the jail is off. Otherwise (when the jail is off but its address is on), you may end up accessing a host system's Web/SSH/etc. server instead of jail's. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer