Date: Fri, 27 Aug 2021 13:34:48 +0400 From: antranigv <antranigv@freebsd.am> To: Alan Somers <asomers@freebsd.org>, Jamie Landeg-Jones <jamie@catflap.org> Cc: "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org> Subject: Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever? Message-ID: <5DB070E0-2602-4C15-B950-920B56506E15@freebsd.am> In-Reply-To: <CAOtMX2jWOm1sA%2BqoaYpMR9vvcn2_KkY=dvX6ko2euh5-2hwgWQ@mail.gmail.com> References: <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am> <CAOtMX2jWOm1sA%2BqoaYpMR9vvcn2_KkY=dvX6ko2euh5-2hwgWQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Jamie and Alan,
Thank you both for your inputs.
Jamie, I totally understand your point, for an issue like this to be =
fixed, we=20
need to patch some subsystem. I'm not sure I have enough knowledge to do =
that,=20
but what you point is called UID Virtualization. If I am not mistaken =
illumos=20
systems do that for their Zones. I have to get into it, hopefully =
something=20
similar can be done with FreeBSD.
So,
1) Yes, patching only ps/top will not solve the issue, what about htop?=20=
sockstat? procstat? etc.
2) The ideal way is to make a major change. Look into what other systems =
are=20
doing and try to implement it here.
Alan, I got a PoC working!
#include <pwd.h>
#include <jail.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/jail.h>
#include <sys/types.h>
#include <sys/socket.h>
int main(int argc, char *argv[]){
struct passwd *pwd;
int sp[2], uid;
pid_t pid;
if (argc < 2 ) { printf("usage: psjail UID\n"); exit(1); }
uid =3D atoi(argv[1]);
printf("Got UID: %d\n", uid);
socketpair(PF_LOCAL, SOCK_STREAM, 0, sp);
pid =3D fork();
if (pid =3D=3D 0){
printf("In the child process\n");
printf("Going into Jail\n");
jail_attach(35);
pwd =3D getpwuid(uid);
if (pwd =3D=3D NULL) {
printf("In the Jail: no user found\n");
write(sp[1], "", sizeof(pwd));
} else {
printf("In the Jail: %s\n", pwd->pw_name);
write(sp[1], pwd->pw_name, =
sizeof(pwd->pw_name));
printf("Message sent\n");
}
_Exit(0);
} else {
char buf[sizeof(pwd->pw_name)];
printf("I'm the parent\n");
int n =3D read(sp[0], buf, sizeof(pwd->pw_name));
printf("got %d bytes\n", n);
printf("parent got : '%s'\n", buf);
pwd =3D getpwuid(uid);
if (pwd =3D=3D NULL) {
printf("In the parent: no user found\n");
} else {
printf("In the parent: %s\n", pwd->pw_name);
}
}
printf("Done executing\n");
return 42;
}
Here's a sample output,
root@srv0:~/src # ./spjail 1001
Got UID: 1001
I'm the parent
In the child process
Going into Jail
In the Jail: romero
Message sent
got 8 bytes
parent got : 'romero'
In the parent: no user found
Done executing
root@srv0:~/src # ./spjail 1000
Got UID: 1000
I'm the parent
In the child process
Going into Jail
In the Jail: no user found
got 8 bytes
parent got : ''
In the parent: no user found
Done executing
Now, as Jamie said, this is not a good idea, it's basically a "Hack." I =
will=20
try to find a proper way to virtualize the UID table, write a PoC for =
that and=20
see what the community thinks about that.
I like Jamie's approach, but I would not want it to be manual. We need =
some=20
automated way. Sure, I can integrate that into my Jail Orchestrator, but =
some=20
people want to use jail(8) with jail.conf, and it should be simple for =
them as=20
well.
Thank you all. Any more input will be appreciated.
Kind regards,
--
antranigv
https://antranigv.am/
> On 26 Aug 2021, at 5:43 AM, Alan Somers <asomers@freebsd.org> wrote:
>=20
> On Mon, Aug 23, 2021 at 4:03 AM antranigv <antranigv@freebsd.am> =
wrote:
>=20
>> Greetings all,
>>=20
>> I am trying to have better integration of top(1) and ps(1) with =
FreeBSD
>> Jails.
>>=20
>> The main problem that I am trying to solve is displaying the correct =
UID
>> username. Here's an example.
>>=20
>> I have a host (srv0), it is running a Jail named "fsoc", The Jail =
"fsoc"
>> has a user named "romero" with the UID 1001.
>>=20
>> If I run `ps auxd` in the Jail, I get the following,
>>=20
>> romero@fsoc:~ $ ps auxd
>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>> root 4377 0.0 0.0 11376 956 - SsJ 14:15 0:00.38
>> /usr/sbin/syslogd -ss
>> root 5758 0.0 0.1 13128 1352 1 IJ 18:24 0:00.02 /bin/tcsh =
-i
>> root 5763 0.0 0.0 12048 960 1 IJ 18:24 0:00.01 - su - =
romero
>> romero 5764 0.0 0.1 12120 2268 1 SJ 18:24 0:00.02 `-- -su =
(sh)
>> romero 9625 0.0 0.1 11684 2576 1 R+J 09:41 0:00.01 `-- ps =
auxd
>>=20
>> Good!
>>=20
>> However, if I try to run it on the host, here's what I get,
>>=20
>> root@srv0:~ # ps auxd -J fsoc
>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>> root 4377 0.0 0.0 11376 956 - SsJ 14:15 0:00.38 =
/usr/sbin/syslogd
>> -ss
>> root 5758 0.0 0.1 13128 1352 1 IJ 18:24 0:00.02 /bin/tcsh -i
>> root 5763 0.0 0.0 12048 960 1 IJ 18:24 0:00.01 - su - romero
>> 1001 5764 0.0 0.1 12124 2436 1 I+J 18:24 0:00.02 `-- -su (sh)
>>=20
>> As you can see, in the User field it says 1001, because the host does =
not
>> have a user with that UID.
>>=20
>> This seems fine, but it becomes an issue when you have multiple Jail =
and a
>> large host running.
>>=20
>> Here's an example if the host had a user with UID 1001,
>>=20
>> root@pingvinashen:~ # ps auxd -J oragir
>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME =
COMMAND
>> root 949 0.0 0.0 11344 2584 - IsJ Mon19 0:01.13
>> /usr/sbin/cron -s
>> root 1962 0.0 0.0 11428 2796 - SsJ Mon19 0:01.83
>> /usr/sbin/syslogd -ss
>> antranigv 95342 0.0 0.0 11004 2424 - IsJ Mon19 0:00.48 =
daemon:
>> /usr/home/oragir/writefreely/writefreely[9992] (daemon)
>> antranigv 9992 0.0 0.4 767244 58336 - IJ Mon19 2:58.87 -
>> /usr/home/oragir/writefreely/writefreely
>>=20
>> Now, you would think that this is good, however, if you run this in =
the
>> jail,
>>=20
>> root@oragir:~ # ps auxd
>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>> root 949 0.0 0.0 11344 2584 - SsJ Mon15 0:01.13
>> /usr/sbin/cron -s
>> root 1962 0.0 0.0 11428 2796 - SsJ Mon15 0:01.83
>> /usr/sbin/syslogd -ss
>> oragir 95342 0.0 0.0 11004 2424 - IsJ Mon15 0:00.48 daemon:
>> /usr/home/oragir/writefreely/writefreely[9992] (daemon)
>> oragir 9992 0.0 0.4 767244 58336 - IJ Mon15 2:58.88 -
>> /usr/home/oragir/writefreely/writefreely
>> root 88228 0.0 0.0 13336 4004 8 SJ 09:45 0:00.01 =
/bin/csh -i
>> root 99502 0.0 0.0 11824 3140 8 R+J 09:45 0:00.00 - ps =
auxd
>>=20
>> As you can see, the UID 1001 was not `antranigv`, instead it was =
`oragir`.
>>=20
>> This has been an issue for me, so I tried writing some code to =
implement
>> the following.
>>=20
>> If the process is in a Jail, then change the passwd db from /etc to
>> /path/of/the/jail/etc.
>>=20
>> I thought it would be an easy thing to do, but not so much.
>>=20
>> Here's what I've tried.
>>=20
>> 1) Call jail_attach and run ps inside the Jail. Oh yeah, it's a jail!
>> after attaching to it there is no way to deattach :-) silly me!
>>=20
>> 2) Change the passwd file for getpwuid/getpwnam. I wanted to use
>> setpwfile(3) but turns out that \
>> COMPATIBILITY
>> The historic function setpwfile(3), which allowed the =
specification of
>> alternate password databases, has been deprecated and is no =
longer
>> available.
>>=20
>> Okay, So I look into how other tools like pwd_mkdb is written and I =
see
>> that everything is defined (pun intended) the following way,
>>=20
>> in /usr/include/pwd.h
>>=20
>> #define _PATH_PWD "/etc"
>> #define _PATH_PASSWD "/etc/passwd"
>> #define _PASSWD "passwd"
>> #define _PATH_MASTERPASSWD "/etc/master.passwd"
>> #define _MASTERPASSWD "master.passwd"
>>=20
>> #define _PATH_MP_DB "/etc/pwd.db"
>> #define _MP_DB "pwd.db"
>> #define _PATH_SMP_DB "/etc/spwd.db"
>> #define _SMP_DB "spwd.db"
>>=20
>> #define _PATH_PWD_MKDB "/usr/sbin/pwd_mkdb"
>>=20
>> and pwd_mkdb does the following
>>=20
>> ...
>> strcpy(prefix, _PATH_PWD);
>> ...
>> case 'd':
>> dflag++;
>> strlcpy(prefix, optarg, sizeof(prefix));
>> break;
>> ...
>>=20
>> Tuns out it parses the DB file, but I don't want to do that in =
ps/top! :-)
>>=20
>> 3) Just for fun, I played with chroot. I tried the following code.
>> # cat getpw.c
>>=20
>> #define MAXHOSTNAMELEN 255
>> #define MAXPATHLEN 255
>> #include <pwd.h>
>> //#include <jail.h>
>> #include <stdio.h>
>> #include <unistd.h>
>> #include <sys/uio.h>
>> #include <sys/jail.h>
>> #include <sys/param.h>
>> #include <sys/types.h>
>>=20
>> int main(){
>> // Just get root!
>> struct passwd *pwd;
>> printf("just root: %s\n", (getpwuid(0))->pw_name);
>>=20
>> // let's try with undef/define
>> #undef _PATH_PWD
>> #undef _PATH_PASSWD
>> #undef _PASSWD
>> #undef _PATH_MASTERPASSWD
>> #undef _MASTERPASSWD
>>=20
>> #undef _PATH_MP_DB
>> #undef _MP_DB
>> #undef _PATH_SMP_DB
>> #undef _SMP_DB
>>=20
>> #define _PATH_PWD "/zdata/jails/fsoc/etc"
>> #define _PATH_PASSWD "/zdata/jails/fsoc/etc/passwd"
>> #define _PASSWD "passwd"
>> #define _PATH_MASTERPASSWD "/zdata/jails/fsoc/etc/master.passwd"
>> #define _MASTERPASSWD "master.passwd"
>>=20
>> #define _PATH_MP_DB "/zdata/jails/fsoc/etc/pwd.db"
>> #define _MP_DB "pwd.db"
>> #define _PATH_SMP_DB "/zdata/jails/fsoc/etc/spwd.db"
>> #define _SMP_DB "spwd.db"
>> pwd =3D getpwuid(1001);
>> if (pwd =3D=3D NULL) {
>> printf("using undef/define: no user found\n");
>> } else {
>> printf("using undef/define: %s\n", pwd->pw_name);
>> }
>>=20
>> // let's try with chroot!
>> chroot("/zdata/jails/fsoc");
>> pwd =3D getpwuid(1001);
>> if (pwd =3D=3D NULL) {
>> printf("after chroot: no user found\n");
>> } else {
>> printf("after chroot: %s\n", pwd->pw_name);
>> }
>>=20
>> // escape back the chroot ;-)
>> chroot("../../../../");
>> pwd =3D getpwuid(1001);
>> if (pwd =3D=3D NULL) {
>> printf("after unchroot: no user found\n");
>> } else {
>> printf("after chroot: %s\n", pwd->pw_name);
>> }
>>=20
>> return 42;
>> }
>>=20
>> And I get the following:
>>=20
>> # ./getpw
>> just root: root
>> using undef/define: no user found
>> after chroot: romero
>> after unchroot: no user found
>>=20
>> So, any advice? should I do chroot in ps? (no I don't think that's a =
good
>> idea), should I add a new call that implements setpwfile(3)? But I =
really
>> want to know why it was removed, I'm sure there's a story there. Or =
is
>> there a better way?
>>=20
>> Kind regards, have a nice day!
>>=20
>> --
>> antranigv
>> https://antranigv.am/
>>=20
>=20
> Oof, that's a hard problem. But in fact, it's worse than you think.
> /etc/passwd isn't the only place that user information is stored. It
> could be in NIS, or LDAP, or Heimdal, or who knows where. The only
> reliable way to look up a user is to actually do it from within the =
jail.
> You could create a socketpair, then fork a child process and attach =
that to
> the jail, and use it to lookup jailed UIDs. It's complicated, but I =
can't
> imagine anything simpler that would work.
> -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5DB070E0-2602-4C15-B950-920B56506E15>