Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 23 Oct 2021 14:52:45 +0000
From:      Chris Stephan <chris.stephan@live.com>
To:        antranigv <antranigv@freebsd.am>, "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever?
Message-ID:  <SA1PR02MB86690427417407BAE86398D79B819@SA1PR02MB8669.namprd02.prod.outlook.com>
In-Reply-To: <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am>
References:  <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am>

next in thread | previous in thread | raw e-mail | index | archive | help
--_000_SA1PR02MB86690427417407BAE86398D79B819SA1PR02MB8669namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

> From:owner-freebsd-hackers@freebsd.org <owner-freebsd-hackers@freebsd.org=
> on behalf of antranigv <antranigv@freebsd.am>

> The main problem that I am trying to solve is
> displaying the correct UID username.

Unfortunately, while the JID+UID is considered unique to the context of the=
 process and the Jail it resides in, /bin/ps looks up the name associated w=
ith the UID based on the current JID ps is ran in. I would guess the intent=
 behind this is that most organizations would map all users to the same UID=
s so they would be universal. The result as you=92ve identified is ps can b=
e caught lieing to you if your UIDs are not synchronized between the users =
in a given system of host+jails. Given that each jail is a unique system wi=
th its own resources (including UID/GID mapping). So, I see two ways to sol=
ve this.

Synchronization of the UID/GID information via NIS, LDAP, or the likes, whi=
ch would extend credential mapping beyond the local host, but had the unfor=
tunate side effect of creating a larger footprint to secure the file system=
 on your host. Local to the host, I would think this could be achieved with=
 NULLFS RO mounts of a sub folder of /etc into the jails and some symlinks =
to the passwd, group, and etc.master files in the host=92s /etc folder. One=
 might also include nsswitch to guarantee the same source resolution happen=
s both in the jails and at the host.

Either in combination or independent of the first option, I have wrapped /u=
sr/bin/ps in the past to turn a ps call into a map reduce function where ex=
ecution in the parent iterates over all the running jails (unless -J is pro=
vided which isolates the call to a single JID) and calls prepends =91/usr/s=
bin/jail $JID=92 to the original command (minus the -J and $JID args.)

NOTE: there are caveats to this approach, for example when there are jails =
within jails, and I=92m not sure how the sysctl at =91security.bsd.see_othe=
r_uids=92 might affect output in a jail.

Good luck.

--_000_SA1PR02MB86690427417407BAE86398D79B819SA1PR02MB8669namp_--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SA1PR02MB86690427417407BAE86398D79B819>