From owner-freebsd-security@FreeBSD.ORG  Tue Feb 15 19:33:45 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5EE416A4CE
	for <freebsd-security@freebsd.org>;
	Tue, 15 Feb 2005 19:33:45 +0000 (GMT)
Received: from pantera.slonce.com (fouk.org [193.219.28.139])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2C0C143D3F
	for <freebsd-security@freebsd.org>;
	Tue, 15 Feb 2005 19:33:45 +0000 (GMT)
	(envelope-from pch@pantera.slonce.com)
Received: from pch by pantera.slonce.com with local (Exim 4.43 (FreeBSD))
	id 1D18S7-0009aA-2d
	for freebsd-security@freebsd.org; Tue, 15 Feb 2005 20:33:43 +0100
Date: Tue, 15 Feb 2005 20:33:43 +0100
From: Piotr Chytla <pch@fouk.org>
To: freebsd-security@freebsd.org
Message-ID: <20050215193342.GA19313@fouk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
X-GPG-Key-URL: http://fouk.org/~pch/pch.gpg.asc
X-PGP-Key-URL: http://fouk.org/~pch/pch.pgp.asc
User-Agent: Mutt/1.5.6i
Sender: =?ISO-8859-1?Q?Piotr_Chyt=B3a?= <pch@pantera.slonce.com>
Subject: Identd in jail.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2005 19:33:45 -0000

Hi

Few days ago I've problem with running identd in jail on 4.10-stable
I've found that getcred() sysctl isn't permitted from within jail on 4.x.
R.Watson suggest some "cheap hack" for this but I've solved this 
without patching the kernel. 

My patched ident gets result of getcred() sysctl from jauthd daemon via 
unix socket. Jauthd is simply getcred proxy, it gets two sockadddr_in 
from jailed process and sends ucred. 

Jauthd daemon can be extend  to verify data recived from jailed process, 
and of course to listen in many jails . 

I know that this isn't far better then "cheap hack" :)) but for sure it don't 
give getcred sysctl for everyone in the system, and in all jails. 

http://fouk.org/~pch/patches/builtins.c.patch

applay this patch to /usr/src/usr.sbin/inetd/builtins.c and add AUTHJAIL to 
Makefile

http://fouk.org/~pch/patches/jauthd.c


/pch