Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Aug 2013 12:27:37 -0500 (CDT)
From:      "Valeri Galtsev" <galtsev@kicp.uchicago.edu>
To:        "Mike C." <miguelmclara@gmail.com>
Cc:        freebsd-jail@freebsd.org
Subject:   Re: connect -1 errno 1 Operation not permitted with specific user  (nagios)
Message-ID:  <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu>
In-Reply-To: <5217A640.6070903@gmail.com>
References:  <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <CAHDrHSuupiWJxAw3arOas1UNCSm_5iqqxn2_eCt84KFiE8wwVA@mail.gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> <5217A640.6070903@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Fri, August 23, 2013 1:13 pm, Mike C. wrote:
> On 08/23/13 16:35, Valeri Galtsev wrote:
>>
>> On Fri, August 23, 2013 11:31 am, Josh Beard wrote:
>>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. <miguelmclara@gmail.com>
>>> wrote:
>>>
>>>>
>>>> On 08/23/13 16:34, Mike C. wrote:
>>>>> Yes I know about
>>>>>
>>>>>> security.jail.allow_raw_sockets=1
>>>>>
>>>>> Like I said I can do this with "root" just not with the user nagios,
>>>>> I
>>>> guess If raw_sockets was set to 0 on the host, I would have problems
>>>> with
>>>> any user!
>>>>>
>>>>>
>>>>>
>>>>> ----
>>>>> Putting this in /etc/rc.conf:
>>>>>
>>>>> jail_${JailName}_parameters="allow.raw_sockets=1"
>>>>>
>>>>> does not allow every jail access to raw sockets.  There is an example
>>>> in
>>>>> /etc/defaults/rc.conf.
>>>>>
>>>>>
>>>>
>>>> [EDIT: better englih... sorry typing on smartphones sucks]
>>>>
>>>> Now this is something I wasn't aware of... very nice and thanks for
>>>> the
>>>> tip on ez-jails, I'm indeed using ez-jails!
>>>>
>>>> Is there any other setting that would forbid non root users to use raw
>>>> sockets?
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>> Mike,
>>>
>>> Doesn't sound to me like an issue with the jail's configuration, but
>>> I'm
>>> no
>>> expert.
>>>
>>> I'm running NRPE on many jails without issue there and without any
>>> special
>>> jail configuration.
>>>
>>> Are you getting "Operation not permitted" output from the "check_http"
>>> plugin on the local system or over something like NRPE our through the
>>> Nagios configurations?
>>>
>>> Josh
>
> Local and remote but not wiht nrpe yet... I guess If I can't use
> check_http, I will hae problems with nrpe too.
>
>
>>
>> Also, try to do something simple like ping or traceroute as user nagios
>> (user for whom check_http fails) in that jail, - does that give any
>> error?
>>
>
> Iteresting I see:
> traceroute: icmp socket: Operation not permitted
>
> Same for
> ping: socket: Operation not permitted
>
> Even with root... so I guess that's the problem, but I wonder now I does
> check_http work for route? If I can't even ping...
>

Also, for whatever reason nice per jail configuration that Scott Lambert
pointed to did not work for me, so I still had to stay with allowing raw
sockets in all jails on my boxes... Could you try that less elegant
configuration I mentioned:

# execute the command:

sysctl security.jail.allow_raw_sockets=1

# restart jail in question

- and see if you still have raw socket problem for users in that jail.

Thanks.
Valeri


>
>> Thanks.
>> Valeri
>>
>>> _______________________________________________
>>> freebsd-jail@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>>>
>>
>>
>> ++++++++++++++++++++++++++++++++++++++++
>> Valeri Galtsev
>> Sr System Administrator
>> Department of Astronomy and Astrophysics
>> Kavli Institute for Cosmological Physics
>> University of Chicago
>> Phone: 773-702-4247
>> ++++++++++++++++++++++++++++++++++++++++
>>
>
>
> --
> Melhores Cumprimentos // Best Regards
> ------------------------------------------------------------------------
> Miguel Clara
> *nix Sys Admin Freelance
>
>
>
> http://www.linkedin.com/in/miguelmclara/
> Mike_C_PT <https://twitter.com/Mike_C_PT>;
> http://about.me/miguelmclara
> ------------------------------------------------------------------------
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36768.128.135.70.2.1377278857.squirrel>