From owner-freebsd-current@FreeBSD.ORG Fri Sep 23 16:30:46 2005 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0161616A41F for ; Fri, 23 Sep 2005 16:30:46 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29BA043D48 for ; Fri, 23 Sep 2005 16:30:44 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id 3CCEA28271; Fri, 23 Sep 2005 18:30:43 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id A5C2E405D; Fri, 23 Sep 2005 18:30:42 +0200 (CEST) Date: Fri, 23 Sep 2005 18:30:42 +0200 From: Jeremie Le Hen To: Brian Candler Message-ID: <20050923163042.GZ24643@obiwan.tataz.chchile.org> References: <20050922122113.GO24643@obiwan.tataz.chchile.org> <20050923092231.GF94511@uk.tiscali.com> <20050923100707.GW24643@obiwan.tataz.chchile.org> <20050923113819.GA95825@uk.tiscali.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="OwLcNYc0lM97+oe1" Content-Disposition: inline In-Reply-To: <20050923113819.GA95825@uk.tiscali.com> User-Agent: Mutt/1.5.10i Cc: freebsd-current@FreeBSD.org Subject: Re: jail's periodic stuff X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 16:30:46 -0000 --OwLcNYc0lM97+oe1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Brian, > Problem 1? "These scripts fail when you attempt to run then inside a jail(8)" > > I don't see this as a problem, I see it as correct behaviour. You try to do > something which you are not allowed to do, and the kernel prohibits it. The > same would be true if you tried to run these scripts as a non-root user, for > example. > > I wouldn't expect to see magic in these scripts saying > > if [ `id -u` != 0 ]; then > exit 0 > fi > > so I don't see any need to add magic to exit early if the script is run in a > jail. > > Problem 2? "These scripts are invoked by cron periodically in a default jail > installation, and this causes spurious error mails to be sent out every day" > > This I agree is undesirable behaviour, and it derives from the fact that a > jail installation is just a normal FreeBSD installation, which expects that > it needs to run periodic machine-level admin tasks when in fact it is > running at the jail level where these tasks are inappropriate. > > So for me the obvious solution is to make a jail installation slightly > different from a normal installation, by installing /etc/periodic.conf which > disables those tasks that send out spurious mails. > > If you want to run the machine-level tasks only when cron is running outside > a jail, without explicit configuration, then I'd suggest the place to put > the magic is /etc/defaults/periodic.conf (which is, after all, just a shell > script) > > if [ `sysctl -n security.jail.jailed` == 0 ]; then > not_jailed="YES" > else > not_jailed="NO" > fi > > ... > > # 600.ip6fwdenied > daily_status_security_ip6fwdenied_enable=not_jailed > > # 610.ipf6denied > daily_status_security_ipf6denied_enable=not_jailed > > This seems cleaner to me, as it still allows you to override these policies > (even if that's not currently a useful thing to do) Actually, I was thinking of the rc.d scripts. In the maneer of periodic scripts, they are not intended to be executed by a normal user (as all scripts under /etc), so they don't need this kind of magic. I agree with you on this point. Nonetheless rc.d scripts does have a ``nojail'' keyword, but these are run through the rc(8) framework, which is not the case of periodic scripts. Therefore we can't easily use such a keyword. There are two options offered to us in my point of view : o add the following test to each script that can't be run in a jail environnement : % if [ `sysctl -n security.jail.jailed` -eq 1 ] % then % exit 0 % fi o modify periodic(8) in order to handle such a keyword. In my opinion, given that there is only a few scripts that should be avoided inside a jail, the second solution is a little bit overkill, but I wanted to be sure of this, thus my question here. But the solution you proposed below is quite attractive because this is little intrusive and doesn't require code duplication across periodic scripts. The attached patch modifies etc/defaults/periodic.conf and implements this. Note that I'm still not sure about these scripts : 400.status-disks 405.status-ata-raid 420.status-network For instance, 420 uses ``netstat -in''. It will not be able to run inside a jail, unless /dev/mem is available (I'm not sure this is still the case with rwatson@ recent changes), which is, while still possible, very unlikely. I would like to hear some advice of wise people about this. Thank you. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > --OwLcNYc0lM97+oe1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="jailed_periodic.patch" Index: defaults/periodic.conf =================================================================== RCS file: /donald/repo/FreeBSD/src/etc/defaults/periodic.conf,v retrieving revision 1.33 diff -u -p -r1.33 periodic.conf --- defaults/periodic.conf 24 Jan 2005 22:21:13 -0000 1.33 +++ defaults/periodic.conf 23 Sep 2005 16:25:25 -0000 @@ -22,6 +22,12 @@ periodic_conf_files="/etc/periodic.conf # periodic script dirs local_periodic="/usr/local/etc/periodic /usr/X11R6/etc/periodic" +# Use $nojail for things that are not intended to be run inside a jail. +nojail="YES" +if [ `sysctl -n security.jail.jailed` -eq 1 ] +then + nojail="NO" +fi # Daily options @@ -148,25 +154,25 @@ daily_status_security_chkuid0_enable="YE daily_status_security_passwdless_enable="YES" # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +daily_status_security_ipfwdenied_enable="$nojail" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +daily_status_security_ipfdenied_enable="$nojail" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +daily_status_security_pfdenied_enable="$nojail" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +daily_status_security_ipfwlimit_enable="$nojail" # 600.ip6fwdenied -daily_status_security_ip6fwdenied_enable="YES" +daily_status_security_ip6fwdenied_enable="$nojail" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +daily_status_security_ipf6denied_enable="$nojail" # 650.ip6fwlimit -daily_status_security_ip6fwlimit_enable="YES" +daily_status_security_ip6fwlimit_enable="$nojail" # 700.kernelmsg daily_status_security_kernelmsg_enable="YES" --OwLcNYc0lM97+oe1--