From owner-cvs-all@FreeBSD.ORG Thu May 29 13:30:08 2008 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C92A1065670; Thu, 29 May 2008 13:30:08 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id CAC978FC0A; Thu, 29 May 2008 13:30:07 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 5DDE741C757; Thu, 29 May 2008 15:30:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id j+O54KsPczWD; Thu, 29 May 2008 15:30:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id C2D6741C750; Thu, 29 May 2008 15:30:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id ABB9244487F; Thu, 29 May 2008 13:28:28 +0000 (UTC) Date: Thu, 29 May 2008 13:28:28 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Oliver Fromme In-Reply-To: <200805291311.m4TDBBpF066109@haluter.fromme.com> Message-ID: <20080529132242.J65662@maildrop.int.zabbadoz.net> References: <200805291311.m4TDBBpF066109@haluter.fromme.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: cvs-src@FreeBSD.org, Michael Reifenberger , src-committers@FreeBSD.org, Pawel Jakub Dawidek , cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/jexec jexec.8 jexec.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2008 13:30:08 -0000 On Thu, 29 May 2008, Oliver Fromme wrote: > > Pawel Jakub Dawidek wrote: > > On Mon, May 26, 2008 at 11:57:49AM +0000, Michael Reifenberger wrote: > > > mr 2008-05-26 11:57:49 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: > > > usr.sbin/jexec jexec.8 jexec.c > > > Log: > > > Extend jexec to accept hostname or ip-number besides jail-id. > > > > As many already suggested using IP numbers and hostnames can be tricky > > (and risky). > > I think that an admin who decides to use jexec with IP > numbers or hostnames should be expected to be aware that > there can be ambiguities, and that he should make sure > that his IP numbers and/or hostnames are unique. I think that's a bad policy but ... As it already fetched the entire data from the kernel, it would be easy to walk the list to the end and barf on duplicates. > Now with the above new jexec feature, those scripts can be > simplified greatly. Of course I _do_ make sure that all > of my jails have unique hostnames. lucky you your jail goes away immediately when you stop it and the TCP socket has to be teared down, still and you restarted it and end up in the 'dead' one. > However, I do share the concern that there's an ambiguity > in the syntax: "127" can be a jail ID as well as an IP > number (same as 0.0.0.127) or a hostname. Either the actually 127.0.0.0 > syntax should be changed so the meaning of the argument > is clear, or the manpage should be updated to include a > warning and a clear description of the order in which the > argument is tried to match. > > A simple way to resolve it would be to require at least > one dot for IP numbers, otherwise it is matched as a > jail ID. In practice I've never seen people using single > numbers (without dots) for IP numbers. In fact I've been > stared at with disbelief by coworkers many times when > using 127.1 as a shotcut for 127.0.0.1. Yes. because that is 127.1.0.0 and not 127.0.0.1. > > What do you think about using jail name from /etc/rc.conf? > > Personally I don't set up my jails via the rc.d stuff (and > I suspect I'm not the only one), so that would only be of > limited usefulness, I'm afraid. sorry we don't support private stuff. > > PS. I'm not against this functionality, but we should be much more > > careful, especially with hostnames when > > security.jail.set_hostname_allowed=1. > > I agree. If that sysctl is set to 1 (default!), matching > against the jails' hostnames should not be attempted. Anyway people have been discussing this more than it is worth. The bugs in the code are still not fixed. As Christian has pointed out we will have a 'jail name' soon. Either this all will be fixed very soon or I'll miss it with my next integrate... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.