From owner-freebsd-hackers@FreeBSD.ORG Tue Dec 1 08:33:12 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C34B7106566B; Tue, 1 Dec 2009 08:33:12 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 4B5588FC18; Tue, 1 Dec 2009 08:33:12 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2F5A8.dip.t-dialin.net [217.226.245.168]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id C695E84450D; Tue, 1 Dec 2009 09:33:03 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id DA21F90BCE; Tue, 1 Dec 2009 09:32:57 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1259656378; bh=MexrQNQkN0sFjwat7S0OEn4bzeLaS7eUEahiq82waxE=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=EeIDKwA/xVI2IlCS98KeOXAe6iGgkWRpp+Bsny36tQLl6FCOlIxrSC2mjsZNaPMwd Ptn8dlNfdPfwM/N8RNQoTPGki/ZjGkZ6x8HJEb2/oIMKfANrNC9MVS3GsnZYcUKbC3 wCFJU5LgoYsh6Zjp/IxM9QPWATlBalobyEqWy65LGQLoy976rf1kPIqx1GwMbAyTXw 4FYbhJTk5YbXSWGkiMCI2N70bz45Ija4rP3hH2fdptCFEvgixMuMpWh9EZlmLAUJvA jFHX4Qw6g7mjx44X18d0g5U/Ck7Qkj8I3VFKiNqApfPglPmoEQh4ajSWQjzEZjteVf YhFXT1UCMkRrA== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id nB18WvcO067858; Tue, 1 Dec 2009 09:32:57 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Tue, 01 Dec 2009 09:32:56 +0100 Message-ID: <20091201093256.16273npemcgx2aww@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 01 Dec 2009 09:32:56 +0100 From: Alexander Leidinger To: Ivan Voras References: <20091130142950.GA86528@logik.internal.network> <20091130150127.GA82188@logik.internal.network> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.5) / FreeBSD-8.0 X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: C695E84450D.DCD7A X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=0.56, required 6, autolearn=disabled, ALL_TRUSTED -1.44, BR_SPAMMER_URI 2.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1260261185.98299@A2M/t0182a1+CuqQZI22EA X-EBL-Spam-Status: No X-Mailman-Approved-At: Tue, 01 Dec 2009 12:39:13 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: UNIX domain sockets on nullfs still broken? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 08:33:12 -0000 Quoting Ivan Voras (from Mon, 30 Nov 2009 16:14:40 +0100): > xorquewasp@googlemail.com wrote: >> On 2009-11-30 15:43:01, Ivan Voras wrote: >>> xorquewasp@googlemail.com wrote: >>>> 76030 initial thread STRU struct sockaddr { AF_LOCAL, >>>> /tmp/jack-11001/default/jack_0 } >>>> 76030 initial thread NAMI "/tmp/jack-11001/default/jack_0" >>>> 76030 initial thread RET connect -1 errno 61 Connection refused >>> I would expect to see this result from the jail since it's >>> obviously a Bad Idea, but does it work from the same (host) machine It is not a bad idea, at least not if we talk about mounting something from JailA to JailB. Think about the MySQL socket. I have a jail with MySQL, and I have a jail which wants to connect to it. I do not want to allow network connections between those jails (be it for performance reasons, or that I do not want to involve a network connection, or that I do not want to give the MySQL jail an IP at all or whatever). Solution: give access to the socket via the FS. Ideally by putting the socket in its own directory and mounting this directory over to the jail. A workaround for this scenario is below. >>> without the jail in between (i.e. just the nullfs, no jails)? >> >> Hm, yes, you're right. It does work without a jail involved. >> >> What's the sane solution, then, when the only method of communication >> is unix domain sockets? > > It is a security problem. I think the long-term solution would be to It is a risk-management problem, and as such not the responsability of FreeBSD to enforce it. If the sysadmin wants to shoot in his foot, it is his decision. > add a sysctl analogous to security.jail.param.securelevel to handle this. Do you know the code which is responsible for the reject of access to the socket? If yes I can provide a patch regarding jail.param.something. > I don't think there is a workaround right now. My workaround with MySQL is to have the jail and the socket in the same FS (I would prefer to have them on separate FS). Then you can do a hardlink of the socket into the jail (obviously after each restart of the software, but this can be scripted). This works for me. Bye, Alexander. -- You are capable of planning your future. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137