From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 16:31:18 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3189A7FD for ; Fri, 23 Aug 2013 16:31:18 +0000 (UTC) (envelope-from josh@signalboxes.net) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E92D62265 for ; Fri, 23 Aug 2013 16:31:17 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id tb18so893272obb.30 for ; Fri, 23 Aug 2013 09:31:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+5TpitJQIUm6iwaUJqolrNuve/5Cp2+Bq0ZPL80Nev8=; b=Gyg1soEfghLuYqkwZHxpeoUohNedHnDEQbOYQdCKZ7OaRgxtT/OuIHfHacnoH2hCXo +wYWZyNtubWkh8OHrnBM+Cyo2BHVrM/+y6SVJY13hwn7Wti1HNJ6wvAg5GFspb+8mT2Y GchIxB5wX8aW63uoiMcJivy6/8gq+5faMJBcyW64dvhnY3+JhbNo1ZhtTCq70G8ofrcY vaRXhUuz8HxFUKZMQTeedr5KpY8fGDwhzTzxgrRZ8KEIyGTJkP0aExE3RwSrpVmExKY+ wodb9iDt6vIJFXKzt6aOuTUo9z3hPRURBTvCGZQMj5O7FbxeuznLG11BcqcN7CNFCJ3w rFmg== X-Gm-Message-State: ALoCoQmXgCepC0HxYPMSeh9VWgeMuY09BmHH/vl9FioWpOGLnry6IEuyj6LDaFUDIQCqgfZImQbu X-Received: by 10.60.134.14 with SMTP id pg14mr403559oeb.66.1377275471123; Fri, 23 Aug 2013 09:31:11 -0700 (PDT) Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [2607:f8b0:4003:c01::234]) by mx.google.com with ESMTPSA id ps5sm551424oeb.8.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 09:31:10 -0700 (PDT) Received: by mail-ob0-f180.google.com with SMTP id v19so895024obq.11 for ; Fri, 23 Aug 2013 09:31:10 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.46.193 with SMTP id x1mr460696oem.36.1377275470296; Fri, 23 Aug 2013 09:31:10 -0700 (PDT) Received: by 10.60.70.135 with HTTP; Fri, 23 Aug 2013 09:31:10 -0700 (PDT) In-Reply-To: <521790D1.8020705@gmail.com> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> Date: Fri, 23 Aug 2013 10:31:10 -0600 Message-ID: Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: Josh Beard To: "Mike C." Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 16:31:18 -0000 On Fri, Aug 23, 2013 at 10:41 AM, Mike C. wrote: > > On 08/23/13 16:34, Mike C. wrote: > > Yes I know about > > > >> security.jail.allow_raw_sockets=1 > > > > Like I said I can do this with "root" just not with the user nagios, I > guess If raw_sockets was set to 0 on the host, I would have problems with > any user! > > > > > > > > ---- > > Putting this in /etc/rc.conf: > > > > jail_${JailName}_parameters="allow.raw_sockets=1" > > > > does not allow every jail access to raw sockets. There is an example in > > /etc/defaults/rc.conf. > > > > > > [EDIT: better englih... sorry typing on smartphones sucks] > > Now this is something I wasn't aware of... very nice and thanks for the > tip on ez-jails, I'm indeed using ez-jails! > > Is there any other setting that would forbid non root users to use raw > sockets? > > Thanks > > > > Mike, Doesn't sound to me like an issue with the jail's configuration, but I'm no expert. I'm running NRPE on many jails without issue there and without any special jail configuration. Are you getting "Operation not permitted" output from the "check_http" plugin on the local system or over something like NRPE our through the Nagios configurations? Josh