From owner-freebsd-fs@FreeBSD.ORG Fri Feb 16 10:31:16 2007 Return-Path: X-Original-To: fs@freebsd.org Delivered-To: freebsd-fs@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D3A1016A400; Fri, 16 Feb 2007 10:31:16 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.freebsd.org (Postfix) with ESMTP id 9459A13C4B4; Fri, 16 Feb 2007 10:31:16 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id 774877CCE; Fri, 16 Feb 2007 11:31:15 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 0CDE39D41F; Fri, 16 Feb 2007 10:32:15 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id ECF43405D; Fri, 16 Feb 2007 11:32:14 +0100 (CET) Date: Fri, 16 Feb 2007 11:32:14 +0100 From: Jeremie Le Hen To: Josef Karthauser Message-ID: <20070216103214.GW64768@obiwan.tataz.chchile.org> References: <20070204023711.GA3393@genius.tao.org.uk> <20070215135750.GR64768@obiwan.tataz.chchile.org> <20070215152259.GA2950@genius.tao.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070215152259.GA2950@genius.tao.org.uk> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: hackers@freebsd.org, fs@freebsd.org Subject: Re: nullfs and named pipes. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Feb 2007 10:31:16 -0000 Josef, On Thu, Feb 15, 2007 at 03:22:59PM +0000, Josef Karthauser wrote: > On Thu, Feb 15, 2007 at 02:57:50PM +0100, Jeremie Le Hen wrote: > > > > Note that all processes within a jail can only intefere with processes > > from another jail or host as if they were on different machines. This > > means they can communicate through PF_INET for instance but not > > PF_LOCAL. > > > > [...] > > So how does this relate to jails? > > The point of using nullfs is to make a PF_LOCAL socket appear local > even in the jail(!). Using the patch above this is indeed the case > and as far as the jail is concerned the socket is indeed local, > meaning that a process within a jail can talk via it to a process > on the host environment with no restrictions. This is crucially > important for mysql for instance as there is significant overhead > associated with PF_INET connections which can be avoided by talking > to PF_LOCAL sockets. I was wrong, you are right. I was pretty sure the kernel retained the credentials of the listening process and that trying to connect to the latter using a process that has a mismatching jail ID would fail. On term #1: % jarjarbinks:~:103# nc -U -l /usr/space/chroot/tmp/mysock On term #2: % jarjarbinks:/usr/src:102# echo "I won't speak before testing" | jail /usr/space/chroot test 192.168.1.3 /usr/bin/nc -U /tmp/mysock On term #1! % I won't speak before testing Sorry for the noise. At least, I rekindled the thread :-). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >