Date: Mon, 28 Aug 2006 16:23:34 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Mike Meyer <mwm@mired.org> Cc: Dirk Engling <erdgeist@erdgeist.org>, hackers@freebsd.org Subject: Re: jails, cron and sendmail Message-ID: <20060828162334.5c026d7f@localhost> In-Reply-To: <17650.61924.263953.172573@bhuda.mired.org> References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org> <44F1B7B7.9090701@erdgeist.org> <17649.54252.987757.501860@bhuda.mired.org> <20060828150039.21e8bd4a@localhost> <17650.61924.263953.172573@bhuda.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_7F1O4vtrsXk64b68W_uM4eS Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Mike Meyer <mwm@mired.org> wrote: > In <20060828150039.21e8bd4a@localhost>, Fabian Keil <freebsd-listen@fabia= nkeil.de> typed: > > Mike Meyer <mwm-keyword-freebsdhackers2.e313df@mired.org> wrote: > >=20 > > > In <44F1B7B7.9090701@erdgeist.org>, Dirk Engling <erdgeist@erdgeist.o= rg> typed: > >=20 > > > > > The default configuration doesn't expose sendmail to the publicly > > > > > visible IP addres. The daemon it runs only listens for connection= s to > > > > > the localhost address. > > > > Which is rewritten to the jails (externally visible) address on a c= onnect() > > > Yup. I wasn't aware of that strange behavior of jails. That should be > > > fixed. > > Fixed how? Disallow jailed applications to connect to 127.0.0.1, > > and thus break most of them, or have them reach 127.0.0.1 on the > > host system and weaken the security?=20 > > > > > I think the better fix would be to make jails not expose their > > > localhost IP address to the outside world. > > Exactly. I think I misunderstood what you where saying here, sorry. I assumed you meant the user should run the jail on one of the addresses in the 127.0.0.0/8 range, while you probably were suggesting jails should have their own localhost IP address that is different from their outside IP address? =20 > Ok, I'm confused. Exactly how is fixing jails to not expose their > localhost IP address to the outside world not fixing this strange > behavior of jails? AFAICS jails currently have no localhost IP address they could expose. They have one IP address that is always visible from the host system, and conveniently jailed applications that try to bind to 127.0.0.1 get connected to the one jail IP address, instead of receiving an error or getting through to the host system's localhost. Fabian --=20 http://www.fabiankeil.de/ --Sig_7F1O4vtrsXk64b68W_uM4eS Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE8vxtBYqIVf93VJ0RAr7KAJ0a6eg7V8xgyqlwTtlOP7qbT+F3KQCgkO5v Y6bDfzN0bDcFXhBwdm9He4w= =feuF -----END PGP SIGNATURE----- --Sig_7F1O4vtrsXk64b68W_uM4eS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060828162334.5c026d7f>