From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 14:59:55 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 38723D6D for ; Fri, 23 Aug 2013 14:59:55 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from www.jail.lambertfam.org (atom1.lambertfam.org [69.153.112.46]) by mx1.freebsd.org (Postfix) with ESMTP id 170162CE6 for ; Fri, 23 Aug 2013 14:59:54 +0000 (UTC) Received: by www.jail.lambertfam.org (Postfix, from userid 999) id EEB1746225; Fri, 23 Aug 2013 09:53:05 -0500 (CDT) Date: Fri, 23 Aug 2013 09:53:05 -0500 From: Scott Lambert To: freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) Message-ID: <20130823145305.GZ99960@www.jail.lambertfam.org> Mail-Followup-To: freebsd-jail@freebsd.org References: <52177C19.6040909@gmail.com> <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 14:59:55 -0000 On Fri, Aug 23, 2013 at 09:35:43AM -0500, Valeri Galtsev wrote: > To the best of my knowledge, raw sockets are not allowed inside jail by > default. This might be your problem (as far as I know how nagios works). > > To allow raw sockets you can do > > sysctl security.jail.allow_raw_sockets=1 > > then you need to restart at least the jail inside which your nagios > instance lives. > > To make the above enabled at boot time you can add the following line into > /etc/sysctl.conf > > security.jail.allow_raw_sockets=1 > > BTW, beware: this affects all jails. All correct. Putting this in /etc/rc.conf: jail_${JailName}_parameters="allow.raw_sockets=1" does not allow every jail access to raw sockets. There is an example in /etc/defaults/rc.conf. If you are using ezjails, just add that with a leading "export " the to the end of your /usr/local/etc/ezjail/${JailName} config file. > On Fri, August 23, 2013 10:13 am, Mike C. wrote: > > > > I'm having a problem with nagios under a jail... commands works has root > > and another normal user I created (its not even in the wheel group) > > > > running commands such has "check_http" get me a Operation not permited, > > with ktrace I was able to confirm the probelm: > > connect -1 errno 1 Operation not permitted > > > > > > The thing is this only happens with the user nagios and I can not figure > > out why! > > > > I'm very new to jails, so I'm user I'm possibly missing something > > trivial, but I would appreciate an help! > > > > What could be different about the user to not allow "connect" ? > > > > Many thanks > > > > _______________________________________________ > > freebsd-jail@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org How to be a "computer expert," http://www.xkcd.com/627/