Date: Fri, 23 Aug 2013 23:25:19 +0000 From: "Mike C." <miguelmclara@gmail.com> To: galtsev@kicp.uchicago.edu, freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) Message-ID: <5217EF5F.20507@gmail.com> In-Reply-To: <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <CAHDrHSuupiWJxAw3arOas1UNCSm_5iqqxn2_eCt84KFiE8wwVA@mail.gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> <5217A640.6070903@gmail.com> <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/23/13 17:27, Valeri Galtsev wrote:
>
> On Fri, August 23, 2013 1:13 pm, Mike C. wrote:
>> On 08/23/13 16:35, Valeri Galtsev wrote:
>>>
>>> On Fri, August 23, 2013 11:31 am, Josh Beard wrote:
>>>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. <miguelmclara@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On 08/23/13 16:34, Mike C. wrote:
>>>>>> Yes I know about
>>>>>>
>>>>>>> security.jail.allow_raw_sockets=1
>>>>>>
>>>>>> Like I said I can do this with "root" just not with the user nagios,
>>>>>> I
>>>>> guess If raw_sockets was set to 0 on the host, I would have problems
>>>>> with
>>>>> any user!
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----
>>>>>> Putting this in /etc/rc.conf:
>>>>>>
>>>>>> jail_${JailName}_parameters="allow.raw_sockets=1"
>>>>>>
>>>>>> does not allow every jail access to raw sockets. There is an example
>>>>> in
>>>>>> /etc/defaults/rc.conf.
>>>>>>
>>>>>>
>>>>>
>>>>> [EDIT: better englih... sorry typing on smartphones sucks]
>>>>>
>>>>> Now this is something I wasn't aware of... very nice and thanks for
>>>>> the
>>>>> tip on ez-jails, I'm indeed using ez-jails!
>>>>>
>>>>> Is there any other setting that would forbid non root users to use raw
>>>>> sockets?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Mike,
>>>>
>>>> Doesn't sound to me like an issue with the jail's configuration, but
>>>> I'm
>>>> no
>>>> expert.
>>>>
>>>> I'm running NRPE on many jails without issue there and without any
>>>> special
>>>> jail configuration.
>>>>
>>>> Are you getting "Operation not permitted" output from the "check_http"
>>>> plugin on the local system or over something like NRPE our through the
>>>> Nagios configurations?
>>>>
>>>> Josh
>>
>> Local and remote but not wiht nrpe yet... I guess If I can't use
>> check_http, I will hae problems with nrpe too.
>>
>>
>>>
>>> Also, try to do something simple like ping or traceroute as user nagios
>>> (user for whom check_http fails) in that jail, - does that give any
>>> error?
>>>
>>
>> Iteresting I see:
>> traceroute: icmp socket: Operation not permitted
>>
>> Same for
>> ping: socket: Operation not permitted
>>
>> Even with root... so I guess that's the problem, but I wonder now I does
>> check_http work for route? If I can't even ping...
>>
>
> Also, for whatever reason nice per jail configuration that Scott Lambert
> pointed to did not work for me, so I still had to stay with allowing raw
> sockets in all jails on my boxes... Could you try that less elegant
> configuration I mentioned:
>
> # execute the command:
>
> sysctl security.jail.allow_raw_sockets=1
>
> # restart jail in question
>
> - and see if you still have raw socket problem for users in that jail.
>
I was using that already, but thanks for testing the other config! I
haven't tried myself, because I wanted to go one step at a time!
I found the problem, well the problem is me actually, the host was not
setup by me, but with the use of tcpdump I was able to track this to
pf.conf...
The a lot of custom config in there since the system is running several
jails with different types of services, web, mail etc...
I tough I had allowed port 80 and even 5666 por nrpe from the jail to
the internet, but I missed the nat rule, which now that I think about it
makes perfect sense!
I never tough about it because it was working for "root" but that's
because there a pf rule for that... since root has always the same ID in
every host....
So I added a table for <nagios_clients> which will be useful to populate
later... and allowed port 80 for http check and 5666 for other check on
the remote hosts!
Sorry to have taken you guys time and thanks for the hints, will try the
proposed config for raw sockets and post my results!
> Thanks.
> Valeri
>
>
>>
>>> Thanks.
>>> Valeri
>>>
>>>> _______________________________________________
>>>> freebsd-jail@freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>>>>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5217EF5F.20507>