From owner-freebsd-stable@FreeBSD.ORG Fri Dec 22 03:02:22 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 148FC16A40F for ; Fri, 22 Dec 2006 03:02:22 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [217.13.206.148]) by mx1.freebsd.org (Postfix) with ESMTP id 6E44213C458 for ; Fri, 22 Dec 2006 03:02:21 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: (qmail 27533 invoked from network); 22 Dec 2006 02:35:38 -0000 Received: from unknown (HELO ?192.168.23.66?) (cryx@85.178.109.46) by mail.h3q.com with AES256-SHA encrypted SMTP; 22 Dec 2006 02:35:38 -0000 Message-ID: <458B4479.7060408@h3q.com> Date: Fri, 22 Dec 2006 03:35:37 +0100 From: Philipp Wuensche User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: freebsd-rc@freebsd.org References: <20061219003401.GA23251@p-i-n.com> In-Reply-To: <20061219003401.GA23251@p-i-n.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Raphael H. Becker" , freebsd-stable@freebsd.org Subject: Re: /etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error in jails /etc/rc? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2006 03:02:22 -0000 Raphael H. Becker wrote: > Hi *, > > I recently triggered an error when setting up a jail-host: I configured > the jail(s) like evry jail I set up in the past: Yes, this is a bug in rc.d/jail and was introduced in this change: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=1.31&r2=1.32. When a jail fails to start, in your case a broken rc.conf in the jail, the jail is stopped and the ipaddr-alias is unconfigured from the interface with the following command: ifconfig ${jail_interface} -alias ${jail_ip} Unfortunately in the change above the variables were renamed to _interface and _ip, this leads to ifconfig getting executed without a specified ipaddr. and therefore the first alias is unconfigured, which is in most cases the ipaddr. you are having access to the remote host. ${jail_interface} is only the correct interface out of luck, so it should be changed to _interface too. I think the correct way would be to call jail_stop() instead of doing the cleanup by hand but in the current implementation this would leave the ipaddr-alias configured on the interface. I think I already mentioned once that I don't like this interface and ipaddr. configuration feature in rc.d/jail at all. Anyway, the quick fix is trivial and should be included in 6.2. Otherwise we have a possible DoS security problem with the new release. --- rc.d/jail.old Fri Dec 22 03:09:27 2006 +++ rc.d/jail Fri Dec 22 03:10:07 2006 @@ -228,8 +228,8 @@ echo ${_jail_id} > /var/run/jail_${_jail}.id else jail_umount_fs - if [ -n "${jail_interface}" ]; then - ifconfig ${jail_interface} -alias ${jail_ip} + if [ -n "${_interface}" ]; then + ifconfig ${_interface} -alias ${_ip} fi echo " cannot start jail \"${_jail}\": " tail +2 ${_tmp_jail} greetings, philipp