From owner-freebsd-security@FreeBSD.ORG Wed May 21 08:58:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F95837B401 for ; Wed, 21 May 2003 08:58:35 -0700 (PDT) Received: from fw.loc.ipnoz.net (ALyon-209-2-1-2.w80-14.abo.wanadoo.fr [80.14.204.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94B0943F75 for ; Wed, 21 May 2003 08:58:33 -0700 (PDT) (envelope-from tom@ipnoz.com) Received: from xtom (tom.in.loc.ipnoz.net [192.168.1.8]) by fw.loc.ipnoz.net (8.12.9/8.12.9) with SMTP id h4LFwQad063524 for ; Wed, 21 May 2003 17:58:28 +0200 (CEST) (envelope-from tom@ipnoz.com) Message-ID: <018801c31fb2$663cb480$0801a8c0@xtom> From: "Tom Dymond - Ipnoz" To: Date: Wed, 21 May 2003 18:02:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: netstat/ipcs inside jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2003 15:58:35 -0000 Hi, i've got this problem with my jail and i'm abolutly lost as in the why of it. I previously posted this on comp.unix.bsd.freebsd.misc but i was advised to send here I was unable to find help on google :( To resume quick, when i'm in a jail, netstat doesn't work properly. Hopefully i have provided sufficient information for anyone willing to help me :p First of all, my system : FreeBSD cube.kmem.org 4.8-STABLE FreeBSD 4.8-STABLE #6: Tue May 20 22:22:47 CEST 2003 root@cube.kmem.org:/usr/obj/usr/src/sys/ruby2 i386 System was updated, mergemaster done, kernel in sync with world. The interfaces par of my rc.conf from the host : ifconfig_rl1="inet 10.0.2.1 netmask 255.255.255.0" ifconfig_rl1_alias0="inet 10.0.2.6 netmask 0xffffffff" route_0="10.0.2.6 -iface lo0" inetd_flags="-wW -a 10.0.2.1" portmap_enable="NO" --- - my sysctls for the jail are set as follows and are loaded by /etc/sysctl.conf > sysctl -a | grep jail jail.set_hostname_allowed: 0 jail.socket_unixiproute_only: 0 jail.sysvipc_allowed: 1 - my kernel is compiled with these options > grep SYSV ruby2 options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores - df looks like this : > df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ar0s1a 128990 47838 70834 40% / /dev/ar0s1f 1032142 16 949556 0% /tmp /dev/ar0s1g 74232392 36708258 31585544 54% /usr /dev/ar0s1e 1032142 22036 927536 2% /var procfs 4 4 0 100% /proc procfs 4 4 0 100% /usr/home/jail/10.0.2.6/proc - jail is loaded by /usr/local/etc/rc.d by these 2 commands : mount -t procfs proc /usr/home/jail/10.0.2.6/proc jail /usr/home/jail/10.0.2.6 jail.kmem.org 10.0.2.6 /bin/sh /etc/rc - when i'm out of jail and i do this : > ipcs -a i get this : Message Queues: T ID KEY MODE OWNER GROUP CREATOR CGROUP CBYTES QNUM QBYTES LSPID LRPID STIME RTIME CTIME Shared Memory: T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME m 6946816 0 --rw------- tom tom tom tom 2 196608 3414 3380 9:59:36 10:50:07 9:59:36 Semaphores: T ID KEY MODE OWNER GROUP CREATOR CGROUP NSEMS OTIME CTIME however, if i'm in the jail and i do the same command, i get this : ipcs: short read SVID messages facility not configured in the system ipcs: short read SVID shared memory facility not configured in the system ipcs: short read SVID semaphores facility not configured in the system if I launch a netstat inside a jail, I get a unlimited amount of lines that look like this, until I ^C netstat: short read netstat: short read netstat: short read ... The rc.conf of the jail : hostname="jail.kmem.org" portmap_enable="NO" network_interfaces="" sshd_enable="YES" sendmail_enable="NO" inetd_flags="-wW -a 10.0.2.6" - this is what ifconfig looks like OUT of jail : rl0: flags=8843 mtu 1500 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1 ether 00:50:8d:47:e5:67 media: Ethernet autoselect (10baseT/UTP) status: active rl1: flags=8843 mtu 1500 inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255 inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2 inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6 ether 00:50:fc:47:84:38 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 vlan0: flags=0<> mtu 1500 ether 00:00:00:00:00:00 vlan: 0 parent interface: lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 tun0: flags=8051 mtu 1492 inet 81.50.114.213 --> 81.50.114.1 netmask 0xffffff00 Opened by PID 68 tun2: flags=8051 mtu 1500 inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa inet 10.0.2.1 --> 10.0.3.1 netmask 0xff000000 Opened by PID 258 tun1: flags=8051 mtu 1500 inet 10.0.2.1 --> 192.168.1.1 netmask 0xff000000 inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb Opened by PID 3290 - this is what ifconfig looks like IN the jail : rl0: flags=8843 mtu 1500 inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1 ether 00:50:8d:47:e5:67 media: Ethernet autoselect (10baseT/UTP) status: active rl1: flags=8843 mtu 1500 inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2 inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6 ether 00:50:fc:47:84:38 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 vlan0: flags=0<> mtu 1500 ether 00:00:00:00:00:00 vlan: 0 parent interface: lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 ppp0: flags=8010 mtu 1500 tun0: flags=8051 mtu 1492 Opened by PID 68 tun2: flags=8051 mtu 1500 inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa Opened by PID 258 tun1: flags=8051 mtu 1500 inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb Opened by PID 3290 --> when i built the jail, i cvsupped the stable branch, then i followed the prodedure described in man jail. i then rebuilt my kernel maybe i'm missing a device in the jail, maybe i have a route problem. maybe it's the absence of the loopback .. i'm not sure what to look for really. i rebuilt the world on the host with exactly the same sources as the jail, all is sync. --> With putty's logging feature i managed to grab this : netstat Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 52 jail.ssh ALyon-209-2-1-2..2484 ESTABLISHED tcp4 0 0 jail.smtp *.* LISTEN tcp4 0 0 jail.ssh *.* LISTEN tcp4 0 0 jail.telnet *.* LISTEN tcp4 0 0 jail.domain *.* LISTEN udp4 0 0 jail.syslog *.* udp4 0 0 jail.ntp *.* udp4 0 0 jail.domain *.* netstat: short read netstat: short read netstat: short read .....(goes on for miles and miles if i dont ^C) just in case : kmem and the kernel are linked to the jails dev/null cube# ll /usr/home/jail/10.0.2.6/dev/kmem lrwx------ 1 root wheel 4 May 21 17:05 /usr/home/jail/10.0.2.6/dev/kmem -> null cube# ll /usr/home/jail/10.0.2.6/kernel lrwxr-xr-x 1 root wheel 8 May 17 17:08 /usr/home/jail/10.0.2.6/kernel -> dev/null ----- Thanks in avance for any possible help Tom