Date: Fri, 17 Aug 2007 17:00:00 +0100 From: "mal content" <artifact.one@googlemail.com> To: "Alexander Leidinger" <Alexander@leidinger.net> Cc: freebsd-jail@freebsd.org Subject: Re: Jailed X applications Message-ID: <8e96a0b90708170900u7d40165es18ac058877236a89@mail.gmail.com> In-Reply-To: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> <20070817100736.8291zwehpcgc4444@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17/08/07, Alexander Leidinger <Alexander@leidinger.net> wrote: > Quoting mal content <artifact.one@googlemail.com> (from Fri, 17 Aug > 2007 06:10:39 +0100): > > This is better suited for freebsd-jail@ (CCed), please remove > freebsd-security@ on reply to move the discussion there. > Gotcha. > > Has anyone here ever successfully set up a jail for X apps, connecting > > to an external X server? I'm trying an experimental sandbox setup here. > > I have my X server itself in a jail (needs a kernel patch and some > devfs rules), and in the past connected to a jail and started a X11 > programm there... IIRC. I think you may misunderstand me. In this setup, my X server is actually running on my host, outside of any jail. I intend for programs running inside the jail to connect to the X server with TCP/IP: ssh -N -L 6000:hostip:6000 x@hostip & xterm -display 127.0.0.1:6000 The intention is to also place some sort of custom X proxy before the actual server, to do inspection on the protocol before it is passed to the real server. This is for later, however. > > ssh uses a tty (pty?), but normally you have some in a jail. How do > you start the jail? There should be devfs mounted in the jail. > I'm using a jail created with ezjail from ports. The jail has both a devfs and fdescfs mounted inside (it uses the standard jail devfs rules). The ezjail documentation suggests that it uses the standard /etc/rc.d/jail script to start jails, a quick look at the source seems to confirm it. I'm not entirely sure why programs are attempting to read directly from /dev/tty. I have not changed any settings from the defaults. ssh and ssh-keygen would both attempt to open /dev/tty when prompting for passwords. I fixed this by disabling PasswordAuthentication in /etc/ssh/ssh_config and by specifying passphrases to ssh-keygen on the command line (a bad idea, but I'm the only user on this machine anyway). thanks, MC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8e96a0b90708170900u7d40165es18ac058877236a89>