From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 17:27:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9E1FCB93 for ; Fri, 23 Aug 2013 17:27:38 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 682B725D4 for ; Fri, 23 Aug 2013 17:27:38 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id D61CBCB8C8D; Fri, 23 Aug 2013 12:27:37 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 12:27:37 -0500 (CDT) Message-ID: <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> In-Reply-To: <5217A640.6070903@gmail.com> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> <5217A640.6070903@gmail.com> Date: Fri, 23 Aug 2013 12:27:37 -0500 (CDT) Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: "Valeri Galtsev" To: "Mike C." User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 17:27:38 -0000 On Fri, August 23, 2013 1:13 pm, Mike C. wrote: > On 08/23/13 16:35, Valeri Galtsev wrote: >> >> On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. >>> wrote: >>> >>>> >>>> On 08/23/13 16:34, Mike C. wrote: >>>>> Yes I know about >>>>> >>>>>> security.jail.allow_raw_sockets=1 >>>>> >>>>> Like I said I can do this with "root" just not with the user nagios, >>>>> I >>>> guess If raw_sockets was set to 0 on the host, I would have problems >>>> with >>>> any user! >>>>> >>>>> >>>>> >>>>> ---- >>>>> Putting this in /etc/rc.conf: >>>>> >>>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>>> >>>>> does not allow every jail access to raw sockets. There is an example >>>> in >>>>> /etc/defaults/rc.conf. >>>>> >>>>> >>>> >>>> [EDIT: better englih... sorry typing on smartphones sucks] >>>> >>>> Now this is something I wasn't aware of... very nice and thanks for >>>> the >>>> tip on ez-jails, I'm indeed using ez-jails! >>>> >>>> Is there any other setting that would forbid non root users to use raw >>>> sockets? >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>> Mike, >>> >>> Doesn't sound to me like an issue with the jail's configuration, but >>> I'm >>> no >>> expert. >>> >>> I'm running NRPE on many jails without issue there and without any >>> special >>> jail configuration. >>> >>> Are you getting "Operation not permitted" output from the "check_http" >>> plugin on the local system or over something like NRPE our through the >>> Nagios configurations? >>> >>> Josh > > Local and remote but not wiht nrpe yet... I guess If I can't use > check_http, I will hae problems with nrpe too. > > >> >> Also, try to do something simple like ping or traceroute as user nagios >> (user for whom check_http fails) in that jail, - does that give any >> error? >> > > Iteresting I see: > traceroute: icmp socket: Operation not permitted > > Same for > ping: socket: Operation not permitted > > Even with root... so I guess that's the problem, but I wonder now I does > check_http work for route? If I can't even ping... > Also, for whatever reason nice per jail configuration that Scott Lambert pointed to did not work for me, so I still had to stay with allowing raw sockets in all jails on my boxes... Could you try that less elegant configuration I mentioned: # execute the command: sysctl security.jail.allow_raw_sockets=1 # restart jail in question - and see if you still have raw socket problem for users in that jail. Thanks. Valeri > >> Thanks. >> Valeri >> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>> >> >> >> ++++++++++++++++++++++++++++++++++++++++ >> Valeri Galtsev >> Sr System Administrator >> Department of Astronomy and Astrophysics >> Kavli Institute for Cosmological Physics >> University of Chicago >> Phone: 773-702-4247 >> ++++++++++++++++++++++++++++++++++++++++ >> > > > -- > Melhores Cumprimentos // Best Regards > ------------------------------------------------------------------------ > Miguel Clara > *nix Sys Admin Freelance > > > > http://www.linkedin.com/in/miguelmclara/ > Mike_C_PT > http://about.me/miguelmclara > ------------------------------------------------------------------------ > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++