Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Aug 2006 17:18:15 +0200
From:      Dirk Engling <erdgeist@erdgeist.org>
To:        Mike Meyer <mwm-keyword-freebsdhackers2.e313df@mired.org>
Cc:        hackers@freebsd.org
Subject:   Re: jails, cron and sendmail
Message-ID:  <44F1B7B7.9090701@erdgeist.org>
In-Reply-To: <17649.9146.307818.780974@bhuda.mired.org>
References:  <44F0E38F.5030809@erdgeist.org>	<17648.59470.572563.377998@bhuda.mired.org>	<20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Meyer wrote:

> That's just a default. You can can change it by adding
> cron_enable="NO" to /etc/rc.conf in each jail. So maybe the question
> should be "Why haven't your turned off cron in the jails?"

Because the system uses cron to start its periodic scripts. The periodic
scripts are cool and useful in jails, especially the security scripts.
Thus I wont turn off cron.

>> Daniel Gerzo already pointed out, how to solve that.
> 
> By checking periodic.conf? That doesn't prevent cron from sending
> mail; that just turns off the periodic scripts that cron launches,
> some of which also send mail.

But it prevents a vanilla system to try to connect to localhost:25 once
a day. Only those periodic scripts send mails per default.

> In order: right, wrong and right.

I'm afraid, you're wrong.

> The default configuration doesn't expose sendmail to the publicly
> visible IP addres. The daemon it runs only listens for connections to
> the localhost address.

Which is rewritten to the jails (externally visible) address on a connect()

> If your concern is that shutting off a subsystem can break things -
> I'd say that's a *good* thing. One of the things that make Unix
> powerful is that it assumes the user knows what they are doing.

This is... a strange opinion... If the default exposes an unwanted
service to the world, then turning it off should not require indepth
knowledge in how to prevent other things in the system to break. The
service should not even be there in the first place.

> Given the choice between a system that does exactly what I tell it
> to, and one that second guesses me, makes changes behind my back, and
> makes setting things up the way I want a PITA, I know which one I 
> want.

I would chose and recommend the system that provides sane and secure
defaults without requiring me to understand all of the OSs sub systems.


Detecting that /etc/ is inside a jail environment and adjusting your
sendmail and periodic settings would be a nice thing to have.

Regards

  erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFE8be3ImmQdUyYEgkRAhogAJ9PDDu5SkZOp15OmzAt/Tfx8yW2zwCgg5Qo
sjq1PJ/f3u3gIUiPuX8sbm8=
=ouev
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44F1B7B7.9090701>