From owner-freebsd-current Tue May 4 8:23: 3 1999 Delivered-To: freebsd-current@freebsd.org Received: from boco.fee.vutbr.cz (boco.fee.vutbr.cz [147.229.9.11]) by hub.freebsd.org (Postfix) with ESMTP id 4640114DC4 for ; Tue, 4 May 1999 08:22:30 -0700 (PDT) (envelope-from cejkar@dcse.fee.vutbr.cz) Received: from kazi.dcse.fee.vutbr.cz (kazi.dcse.fee.vutbr.cz [147.229.8.12]) by boco.fee.vutbr.cz (8.9.3/8.9.3) with ESMTP id RAA73677; Tue, 4 May 1999 17:22:24 +0200 (CEST) Received: (from cejkar@localhost) by kazi.dcse.fee.vutbr.cz (8.9.2/8.9.2) id RAA26168; Tue, 4 May 1999 17:22:23 +0200 (CEST) Date: Tue, 4 May 1999 17:22:22 +0200 From: Rudolf Cejka To: Poul-Henning Kamp Cc: Rudolf Cejka , "freebsd-current@freebsd.org" Subject: Re: Jail - any success? Message-ID: <19990504172222.A25275@kazi.dcse.fee.vutbr.cz> References: <199905031339.PAA20535@kazi.dcse.fee.vutbr.cz> <7998.925739554@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <7998.925739554@critter.freebsd.dk>; from Poul-Henning Kamp on Mon, May 03, 1999 at 03:52:34PM +0200 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Poul-Henning Kamp wrote (1999/05/03): > You need to put ip aliases on your loopback interface, forinstance: > > ifconfig lo0 10.0.0.1 netmask 255.255.255.255 alias > ... > ifconfig lo0 10.0.0.5 netmask 255.255.255.255 alias > > Then you give each jail one of these ipnumbers and start whatever > daemons you want in the jail (inetd, sshd, apache...) > > Of course your routing needs to work such that these ip numbers > end up on your machine, you can also do this by adding multiple > IP# to the ethernet of the machine. Thanks. Now I know where was the problem - if I create ip alias ifconfig lo0 A.B.C.D netmask 255.255.255.255 alias I must write jail command as jail /path domain.name D.C.B.A /command so on my PC ip-address isn't converted to a network format. Here are my suggestions: *) Aplly this patch to jail.c: (Or bug is in system call? What format should be there?) --- jail.c.orig Tue May 4 14:00:36 1999 +++ jail.c Tue May 4 14:00:47 1999 @@ -21,7 +21,7 @@ i = inet_aton(argv[3], &in); if (!i) errx(1, "Couldn't make sense if ip number\n"); - j.ip_number = in.s_addr; + j.ip_number = htonl(in.s_addr); i = jail(&j); if (i) err(1, "Imprisonment failed"); *) There should be "$Id" in all Makefile, jail.8, and jail.c I think. *) In jail(8) there is synopsis "jail path hostname ip-number". It should be "jail path hostname ip command ..." as is usage of jail command. (I you want I can fill PRs :-) Is it possible to call ping in prison session? # ping some.host ping: socket: Operation not permitted --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= Rudolf Cejka (cejkar@dcse.fee.vutbr.cz; http://www.fee.vutbr.cz/~cejkar) Brno University of Technology, Faculty of El. Engineering and Comp. Science Bozetechova 2, 612 66 Brno, Czech Republic To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message