From owner-freebsd-questions@freebsd.org Thu Apr 6 04:21:11 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BFF5D2FC7F for ; Thu, 6 Apr 2017 04:21:11 +0000 (UTC) (envelope-from holindho@saunalahti.fi) Received: from vs21.mail.saunalahti.fi (vs21.mail.saunalahti.fi [193.64.193.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vs21.mail.saunalahti.fi", Issuer "vs21.mail.saunalahti.fi" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 16BAB1AA for ; Thu, 6 Apr 2017 04:21:10 +0000 (UTC) (envelope-from holindho@saunalahti.fi) Received: from vs21.mail.saunalahti.fi (localhost [127.0.0.1]) by vs21.mail.saunalahti.fi (Postfix) with ESMTP id 13CEE20175 for ; Thu, 6 Apr 2017 07:21:07 +0300 (EEST) Received: from gw03.mail.saunalahti.fi (gw03.mail.saunalahti.fi [195.197.172.111]) by vs21.mail.saunalahti.fi (Postfix) with ESMTP id 08BD82016F for ; Thu, 6 Apr 2017 07:21:07 +0300 (EEST) Received: from [10.0.0.7] (62-78-248-13.bb.dnainternet.fi [62.78.248.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gw03.mail.saunalahti.fi (Postfix) with ESMTPSA id 041B520055 for ; Thu, 6 Apr 2017 07:21:05 +0300 (EEST) Subject: Re: X11 and ezjails To: freebsd-questions@freebsd.org References: <7f49f81e25d0eb05aad1af66df49c525.squirrel@webmail.harte-lyne.ca> <20170331204517.f30e0f3b.freebsd@edvax.de> <58E50AC2.7010909@gmail.com> From: Heikki Lindholm Message-ID: <52e58bd6-4caf-84dd-d46d-edbe53bdb103@saunalahti.fi> Date: Thu, 6 Apr 2017 07:20:58 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 04:21:11 -0000 On 05.04.2017 21:38, James B. Byrne via freebsd-questions wrote: > > On Wed, April 5, 2017 11:18, Ernie Luzar wrote: >>> >>> >> This is the problem >> E233: cannot open display >> >> gvim will not work if run in a jail. gvim uses x11 and x11 needs >> kernel access to talk to the x11 display. Jails are designed on >> purpose to deny kernel access to secure the host system from >> attack. This is why you can never get a desktop to run in a jail. >> The other authentication error messages are bogus and can be >> ignored as misleading. >> >> This is also why gvin works when run on the host system. >> >> The bottom line here is that what your trying to run in a jail will >> NEVER work. Ezjail has no baring on this problem, its a design feature >> of jsil(8). >> > > Thank you very much. That saves me from much futile effort. > > Since all of the files used by a jail lie under /usr/jails// I > can just edit the appropriate files directly from the host instead. I have no problems running X11 apps in jails. The X11 protocol is client / server and clients can be running on separate machines from the server. The X11 connection can be forwarded through ssh. In my jail where an X11 app is running there are no xserver components installed (which would require kernel access) and if there were, they would not be used by the remote client that's run through ssh connection. However, X11 is also insecure, so running an application from jail only prevents it from accessing your host filesystem. It can still act as a keylogger or capture screen content of other apps. Depending on one's requirements, this might not be what is sought by running stuff in jails.