From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 27 15:42:17 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DAB716A4F8 for ; Sun, 27 Aug 2006 15:42:17 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F0E3445D2 for ; Sun, 27 Aug 2006 15:18:17 +0000 (GMT) (envelope-from erdgeist@erdgeist.org) Received: (qmail 75932 invoked by uid 0); 27 Aug 2006 15:19:12 -0000 Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?) (erdgeist@erdgeist.org@195.160.172.2) by elektropost.org with AES256-SHA encrypted SMTP; 27 Aug 2006 15:19:12 -0000 Message-ID: <44F1B7B7.9090701@erdgeist.org> Date: Sun, 27 Aug 2006 17:18:15 +0200 From: Dirk Engling User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: Mike Meyer References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org> In-Reply-To: <17649.9146.307818.780974@bhuda.mired.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: hackers@freebsd.org Subject: Re: jails, cron and sendmail X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Aug 2006 15:42:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Meyer wrote: > That's just a default. You can can change it by adding > cron_enable="NO" to /etc/rc.conf in each jail. So maybe the question > should be "Why haven't your turned off cron in the jails?" Because the system uses cron to start its periodic scripts. The periodic scripts are cool and useful in jails, especially the security scripts. Thus I wont turn off cron. >> Daniel Gerzo already pointed out, how to solve that. > > By checking periodic.conf? That doesn't prevent cron from sending > mail; that just turns off the periodic scripts that cron launches, > some of which also send mail. But it prevents a vanilla system to try to connect to localhost:25 once a day. Only those periodic scripts send mails per default. > In order: right, wrong and right. I'm afraid, you're wrong. > The default configuration doesn't expose sendmail to the publicly > visible IP addres. The daemon it runs only listens for connections to > the localhost address. Which is rewritten to the jails (externally visible) address on a connect() > If your concern is that shutting off a subsystem can break things - > I'd say that's a *good* thing. One of the things that make Unix > powerful is that it assumes the user knows what they are doing. This is... a strange opinion... If the default exposes an unwanted service to the world, then turning it off should not require indepth knowledge in how to prevent other things in the system to break. The service should not even be there in the first place. > Given the choice between a system that does exactly what I tell it > to, and one that second guesses me, makes changes behind my back, and > makes setting things up the way I want a PITA, I know which one I > want. I would chose and recommend the system that provides sane and secure defaults without requiring me to understand all of the OSs sub systems. Detecting that /etc/ is inside a jail environment and adjusting your sendmail and periodic settings would be a nice thing to have. Regards erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE8be3ImmQdUyYEgkRAhogAJ9PDDu5SkZOp15OmzAt/Tfx8yW2zwCgg5Qo sjq1PJ/f3u3gIUiPuX8sbm8= =ouev -----END PGP SIGNATURE-----