From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 28 14:23:46 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D7A616A4DD for ; Mon, 28 Aug 2006 14:23:46 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A262A43D45 for ; Mon, 28 Aug 2006 14:23:45 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 12879 invoked from network); 28 Aug 2006 14:23:43 -0000 Received: from unknown (HELO localhost) (775067@[217.50.145.224]) (envelope-sender ) by smtprelay01.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 28 Aug 2006 14:23:43 -0000 Date: Mon, 28 Aug 2006 16:23:34 +0200 From: Fabian Keil To: Mike Meyer Message-ID: <20060828162334.5c026d7f@localhost> In-Reply-To: <17650.61924.263953.172573@bhuda.mired.org> References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org> <44F1B7B7.9090701@erdgeist.org> <17649.54252.987757.501860@bhuda.mired.org> <20060828150039.21e8bd4a@localhost> <17650.61924.263953.172573@bhuda.mired.org> X-Mailer: Sylpheed-Claws 2.3.1 (GTK+ 2.8.19; i386-portbld-freebsd6.1) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2008-08-18.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_7F1O4vtrsXk64b68W_uM4eS; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: Dirk Engling , hackers@freebsd.org Subject: Re: jails, cron and sendmail X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 14:23:46 -0000 --Sig_7F1O4vtrsXk64b68W_uM4eS Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Mike Meyer wrote: > In <20060828150039.21e8bd4a@localhost>, Fabian Keil typed: > > Mike Meyer wrote: > >=20 > > > In <44F1B7B7.9090701@erdgeist.org>, Dirk Engling typed: > >=20 > > > > > The default configuration doesn't expose sendmail to the publicly > > > > > visible IP addres. The daemon it runs only listens for connection= s to > > > > > the localhost address. > > > > Which is rewritten to the jails (externally visible) address on a c= onnect() > > > Yup. I wasn't aware of that strange behavior of jails. That should be > > > fixed. > > Fixed how? Disallow jailed applications to connect to 127.0.0.1, > > and thus break most of them, or have them reach 127.0.0.1 on the > > host system and weaken the security?=20 > > > > > I think the better fix would be to make jails not expose their > > > localhost IP address to the outside world. > > Exactly. I think I misunderstood what you where saying here, sorry. I assumed you meant the user should run the jail on one of the addresses in the 127.0.0.0/8 range, while you probably were suggesting jails should have their own localhost IP address that is different from their outside IP address? =20 > Ok, I'm confused. Exactly how is fixing jails to not expose their > localhost IP address to the outside world not fixing this strange > behavior of jails? AFAICS jails currently have no localhost IP address they could expose. They have one IP address that is always visible from the host system, and conveniently jailed applications that try to bind to 127.0.0.1 get connected to the one jail IP address, instead of receiving an error or getting through to the host system's localhost. Fabian --=20 http://www.fabiankeil.de/ --Sig_7F1O4vtrsXk64b68W_uM4eS Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE8vxtBYqIVf93VJ0RAr7KAJ0a6eg7V8xgyqlwTtlOP7qbT+F3KQCgkO5v Y6bDfzN0bDcFXhBwdm9He4w= =feuF -----END PGP SIGNATURE----- --Sig_7F1O4vtrsXk64b68W_uM4eS--