Date: Mon, 17 Feb 2014 11:53:42 -0700 From: Ian Lepore <ian@FreeBSD.org> To: "A.J. 'Fonz' van Werven" <freebsd@skysmurf.nl> Cc: freebsd-stable@FreeBSD.org, Phil Regnauld <regnauld@x0.dk> Subject: Re: Should I use jail? Message-ID: <1392663222.1145.19.camel@revolution.hippie.lan> In-Reply-To: <20140217183927.GA6886@spectrum.skysmurf.nl> References: <CAA_8tFq7JNw0=nqz5ByyfJs8cyEu%2B5z%2Bsry=NESViegUSZBJ0Q@mail.gmail.com> <5300C998.7010508@gibfest.dk> <20140216142824.GA25883@spectrum.skysmurf.nl> <20140216151257.GP71201@macbook.bluepipe.net> <20140217183927.GA6886@spectrum.skysmurf.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2014-02-17 at 19:39 +0100, A.J. 'Fonz' van Werven wrote: > Phil Regnauld wrote: > > >>> For what it's worth I never, ever run any service without running it in > >>> a jail. > >> > >> Smartass comment: if that includes ntpd or a master NIS server, would > >> you care to divulge how you did that? > > > > I don't know why the NIS server would be any different, > > The problem with NIS (and by extension NFS) is rpcbind, which AFAIK cannot > run in a jail. > > For jails that are NIS clients(*) I currently have to use a workaround I > found on the Forums, which is to add > > service rpcbind forcestop > > to /etc/rc.d/ypbind because otherwise (yp)chsh, (yp)chfn and (yp)passwd > won't work from the jails. > > > but for services that require access to devices (say, ntpd talking to a > > GPS over USB), you define new devfs rules to unhide the requisite /dev/ > > entries for the jails running the service. I do this for OpenDNSSEC > > using a smartcard reader. > > > > Here's a devfs.conf entry to make it possible to access BPF (for tcpdump > > among other things - but beware of giving access to raw devices this > > way) and ugen* devices under /dev/ > > > > [devfsrules_jail_bpf=5] > > add include $devfsrules_jail > > add path 'bpf*' unhide > > add path 'ugen0.*' unhide > > What do you know: what was intended as a smartass comment that I almost > refrained from sending in the first place actually elicited a useful > response. Thank you very much for the suggestion, I'll look into that. > > The main question would be which /dev entry provides (write) access to the > system clock, if that even goes through a /dev entry to begin with. A > quick look through /usr/src/sys didn't turn up anything. ntpd (or anything else running as root) steers the system clock using the ntp_adjtime(2), defined in sys/timex.h. There are no devices involved unless ntpd is also processing a PPS signal, in which case it uses /dev/pps#. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1392663222.1145.19.camel>