Date: Sat, 23 Oct 2021 14:52:45 +0000 From: Chris Stephan <chris.stephan@live.com> To: antranigv <antranigv@freebsd.am>, "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org> Subject: Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever? Message-ID: <SA1PR02MB86690427417407BAE86398D79B819@SA1PR02MB8669.namprd02.prod.outlook.com> In-Reply-To: <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am> References: <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am>
next in thread | previous in thread | raw e-mail | index | archive | help
--_000_SA1PR02MB86690427417407BAE86398D79B819SA1PR02MB8669namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable > From:owner-freebsd-hackers@freebsd.org <owner-freebsd-hackers@freebsd.org= > on behalf of antranigv <antranigv@freebsd.am> > The main problem that I am trying to solve is > displaying the correct UID username. Unfortunately, while the JID+UID is considered unique to the context of the= process and the Jail it resides in, /bin/ps looks up the name associated w= ith the UID based on the current JID ps is ran in. I would guess the intent= behind this is that most organizations would map all users to the same UID= s so they would be universal. The result as you=92ve identified is ps can b= e caught lieing to you if your UIDs are not synchronized between the users = in a given system of host+jails. Given that each jail is a unique system wi= th its own resources (including UID/GID mapping). So, I see two ways to sol= ve this. Synchronization of the UID/GID information via NIS, LDAP, or the likes, whi= ch would extend credential mapping beyond the local host, but had the unfor= tunate side effect of creating a larger footprint to secure the file system= on your host. Local to the host, I would think this could be achieved with= NULLFS RO mounts of a sub folder of /etc into the jails and some symlinks = to the passwd, group, and etc.master files in the host=92s /etc folder. One= might also include nsswitch to guarantee the same source resolution happen= s both in the jails and at the host. Either in combination or independent of the first option, I have wrapped /u= sr/bin/ps in the past to turn a ps call into a map reduce function where ex= ecution in the parent iterates over all the running jails (unless -J is pro= vided which isolates the call to a single JID) and calls prepends =91/usr/s= bin/jail $JID=92 to the original command (minus the -J and $JID args.) NOTE: there are caveats to this approach, for example when there are jails = within jails, and I=92m not sure how the sysctl at =91security.bsd.see_othe= r_uids=92 might affect output in a jail. Good luck. --_000_SA1PR02MB86690427417407BAE86398D79B819SA1PR02MB8669namp_--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SA1PR02MB86690427417407BAE86398D79B819>