From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 17:13:42 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7BDAF71C for ; Fri, 23 Aug 2013 17:13:42 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0E5FB251F for ; Fri, 23 Aug 2013 17:13:41 +0000 (UTC) Received: by mail-wi0-f179.google.com with SMTP id hr7so834747wib.6 for ; Fri, 23 Aug 2013 10:13:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=poftJagfFpDLlllMcxieflpKjvZJKDFLsmYO+h6iVgk=; b=hj9ZreBMt9YBAy0mq5Bsucbf4SkTBTlYp88ntqHKYIDKuqIBg0FExaXjbIdQjNxnxD R4uoqCpXVv8NU9IpeHfEZqviFeYwoQYu78tfKi3TWBaT2xp7C6NbaX0lopNA4vgR5U49 9QWQp+bX5QMxId3vWR6KQOK9rpE6zVuLwK47zcSVZuqhew6g1JCwytL7GhG9V8k1GDQ2 NcJbOXuQjmZxgBlbjoL6FwwhCuDKf2/t97mNKBpNkVry6EAmRAVuRjvHK6qguoACXKN8 VcBFWvjDtFkI//FjfqDQmR3bo+SLhw8axG+vuDWCb72c9NVfio+ukz6Q0jf4ZyYZrO0O nnVw== X-Received: by 10.180.8.133 with SMTP id r5mr428915wia.57.1377278019068; Fri, 23 Aug 2013 10:13:39 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id bt8sm1198264wib.8.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 10:13:38 -0700 (PDT) Message-ID: <5217A640.6070903@gmail.com> Date: Fri, 23 Aug 2013 18:13:20 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: galtsev@kicp.uchicago.edu Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> In-Reply-To: <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 17:13:42 -0000 On 08/23/13 16:35, Valeri Galtsev wrote: > > On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. wrote: >> >>> >>> On 08/23/13 16:34, Mike C. wrote: >>>> Yes I know about >>>> >>>>> security.jail.allow_raw_sockets=1 >>>> >>>> Like I said I can do this with "root" just not with the user nagios, I >>> guess If raw_sockets was set to 0 on the host, I would have problems >>> with >>> any user! >>>> >>>> >>>> >>>> ---- >>>> Putting this in /etc/rc.conf: >>>> >>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>> >>>> does not allow every jail access to raw sockets. There is an example >>> in >>>> /etc/defaults/rc.conf. >>>> >>>> >>> >>> [EDIT: better englih... sorry typing on smartphones sucks] >>> >>> Now this is something I wasn't aware of... very nice and thanks for the >>> tip on ez-jails, I'm indeed using ez-jails! >>> >>> Is there any other setting that would forbid non root users to use raw >>> sockets? >>> >>> Thanks >>> >>> >>> >>> >> Mike, >> >> Doesn't sound to me like an issue with the jail's configuration, but I'm >> no >> expert. >> >> I'm running NRPE on many jails without issue there and without any special >> jail configuration. >> >> Are you getting "Operation not permitted" output from the "check_http" >> plugin on the local system or over something like NRPE our through the >> Nagios configurations? >> >> Josh Local and remote but not wiht nrpe yet... I guess If I can't use check_http, I will hae problems with nrpe too. > > Also, try to do something simple like ping or traceroute as user nagios > (user for whom check_http fails) in that jail, - does that give any error? > Iteresting I see: traceroute: icmp socket: Operation not permitted Same for ping: socket: Operation not permitted Even with root... so I guess that's the problem, but I wonder now I does check_http work for route? If I can't even ping... > Thanks. > Valeri > >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> > > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > -- Melhores Cumprimentos // Best Regards ------------------------------------------------------------------------ Miguel Clara *nix Sys Admin Freelance http://www.linkedin.com/in/miguelmclara/ Mike_C_PT http://about.me/miguelmclara ------------------------------------------------------------------------