From owner-freebsd-jail@FreeBSD.ORG Wed Aug 15 17:12:39 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EF6A16A469 for ; Wed, 15 Aug 2007 17:12:39 +0000 (UTC) (envelope-from wolf@k18.ch) Received: from mail.k18.ch (mail.k18.ch [62.2.105.52]) by mx1.freebsd.org (Postfix) with ESMTP id BFBBE13C467 for ; Wed, 15 Aug 2007 17:12:38 +0000 (UTC) (envelope-from wolf@k18.ch) Received: (qmail 42086 invoked from network); 15 Aug 2007 16:46:19 -0000 Received: by simscan 1.2.0 ppid: 42076, pid: 42083, t: 0.0410s scanners: attach: 1.2.0 clamav: 0.91.1/m: Received: from efw.atel.k18.ch (HELO [192.168.10.51]) (Authenticated:wolf@[192.168.10.1]) (envelope-sender ) by mail.k18.ch (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 15 Aug 2007 16:46:19 -0000 Message-ID: <46C32E09.5090908@k18.ch> Date: Wed, 15 Aug 2007 18:47:05 +0200 From: Alain Wolf User-Agent: Thunderbird 2.0.0.5 (X11/20070716) MIME-Version: 1.0 To: Randy Schultz References: In-Reply-To: X-Enigmail-Version: 0.95.3 OpenPGP: id=6CB1BC68 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig74838585BB963E1B07779626" Cc: freebsd-jail@freebsd.org Subject: Re: security bug or operator "misunderstanding", and a query X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 17:12:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig74838585BB963E1B07779626 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Randy Schultz wrote, On 2007-08-15 17:27: > Hey all, > > I've been messing around with, and liking, jails. I had a weird thing > happen > tho' that I cannot explain, and seems to violate the concept of jail. > > I have the AMD64 version of fbsd 6.2 set up, default install(plus a > few minor > ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: > > jail_list=3D"ntpjail" > > jail_ntpjail_rootdir=3D/usr/local/jails/jail1 > jail_ntpjail_hostname=3Dntpjail.earlham.edu > jail_ntpjail_ip=3D192.168.1.59 > jail_ntpjail_interface=3Dbge1 > jail_ntpjail_devfs_enable=3D"YES" > > The /dev dir is whatever is defined for jails in > /etc/defaults/devfs.rules, > and no tweaks are in sysctl.conf. > > When I have the parent/jail up and running, ntpd not running on the > parent, if > I kick off ntpd in the jail, it actually kicks off ntpd in the parent > then > barks with "address already in use". Now, I understand the "address > already > in use" part, but how can starting something in the jail affect > anything on > the parent? I thought the 2 were more separated than that. > > I'm trying to get to a setup where ntp on the parent sets the system > time but > doesn't answer any queries, and ntp in the jail answers the time > queries. If > anybody has any thoughts on whether or not this is even possible(short = of > recoding part of ntp ;) or possible avenues of investigation, pls let > me know. > > Tnx. > > --=20 > Randy (schulra@earlham.edu) 765.983.1283 <*> > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= Hi Randy Usually it is the other way round. The parent system uses up the jails IP address, you have to take steps that it doesn't do that before starting anything in the jail. For TCP/IP on the parent system, a jail IP address is just another IP Interface/address to use. It does not know about jails. AFAIK things are planned for FBSD 7 to have more independent IP interfaces in jails. Hope this helps. --------------enig74838585BB963E1B07779626 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwy4JV5MZZmyxvGgRAtLdAKC+cgu/jy3IFzZtxOalxmcJi1Zx+ACeNkg1 4EIxNVjqu1LGsH1A33SqEqk= =8mhz -----END PGP SIGNATURE----- --------------enig74838585BB963E1B07779626--