From owner-cvs-all@FreeBSD.ORG Thu May 29 13:11:13 2008 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7051A1065681; Thu, 29 May 2008 13:11:13 +0000 (UTC) (envelope-from olli@fromme.com) Received: from haluter.fromme.com (unknown [IPv6:2a01:170:102f::3]) by mx1.freebsd.org (Postfix) with ESMTP id B0E398FC22; Thu, 29 May 2008 13:11:12 +0000 (UTC) (envelope-from olli@fromme.com) Received: from haluter.fromme.com (irc_sucks@localhost [127.0.0.1]) by haluter.fromme.com (8.13.4/8.13.4) with ESMTP id m4TDBBbo066111; Thu, 29 May 2008 15:11:11 +0200 (CEST) (envelope-from olli@fromme.com) Received: (from olli@localhost) by haluter.fromme.com (8.13.4/8.12.9/Submit) id m4TDBBpF066109; Thu, 29 May 2008 15:11:11 +0200 (CEST) From: Oliver Fromme Message-Id: <200805291311.m4TDBBpF066109@haluter.fromme.com> To: pjd@FreeBSD.org (Pawel Jakub Dawidek) Date: Thu, 29 May 2008 15:11:10 +0200 (CEST) In-Reply-To: <20080528205106.GB2865@garage.freebsd.pl> from "Pawel Jakub Dawidek" at May 28, 2008 10:51:06 PM X-Mailer: ELM [version 2.5 PL6] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (haluter.fromme.com [127.0.0.1]); Thu, 29 May 2008 15:11:11 +0200 (CEST) Cc: cvs-src@FreeBSD.org, Michael Reifenberger , src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/jexec jexec.8 jexec.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2008 13:11:13 -0000 Pawel Jakub Dawidek wrote: > On Mon, May 26, 2008 at 11:57:49AM +0000, Michael Reifenberger wrote: > > mr 2008-05-26 11:57:49 UTC > > > > FreeBSD src repository > > > > Modified files: > > usr.sbin/jexec jexec.8 jexec.c > > Log: > > Extend jexec to accept hostname or ip-number besides jail-id. > > As many already suggested using IP numbers and hostnames can be tricky > (and risky). I think that an admin who decides to use jexec with IP numbers or hostnames should be expected to be aware that there can be ambiguities, and that he should make sure that his IP numbers and/or hostnames are unique. Therefore I think that a warning in the manpage is more than sufficient. Personally I welcome Michael's patch very much. Until now I had to perform quite complex ps/jls/grep/awk gymnastics in my jail maintenance scripts. That's error-prone, ugly, and it certainly leaves something to be desired. Now with the above new jexec feature, those scripts can be simplified greatly. Of course I _do_ make sure that all of my jails have unique hostnames. However, I do share the concern that there's an ambiguity in the syntax: "127" can be a jail ID as well as an IP number (same as 0.0.0.127) or a hostname. Either the syntax should be changed so the meaning of the argument is clear, or the manpage should be updated to include a warning and a clear description of the order in which the argument is tried to match. A simple way to resolve it would be to require at least one dot for IP numbers, otherwise it is matched as a jail ID. In practice I've never seen people using single numbers (without dots) for IP numbers. In fact I've been stared at with disbelief by coworkers many times when using 127.1 as a shotcut for 127.0.0.1. > What do you think about using jail name from /etc/rc.conf? Personally I don't set up my jails via the rc.d stuff (and I suspect I'm not the only one), so that would only be of limited usefulness, I'm afraid. > PS. I'm not against this functionality, but we should be much more > careful, especially with hostnames when > security.jail.set_hostname_allowed=1. I agree. If that sysctl is set to 1 (default!), matching against the jails' hostnames should not be attempted. Best regards Oliver -- Oliver Fromme, Bunsenstr. 13, 81735 Muenchen, Germany ``We are all but compressed light'' (Albert Einstein)