From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 22:25:41 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 85907479 for ; Fri, 23 Aug 2013 22:25:41 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 15E77289D for ; Fri, 23 Aug 2013 22:25:40 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id hi8so2666491wib.5 for ; Fri, 23 Aug 2013 15:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=sDMVbZe68ymiFjumyujqyLfXEXhNlLdkNRtdVECM47M=; b=XlJ4g50eI2MRswyEE4heNpEdbu9nv5VBqeCOjP1DcDSJAzIKb2Z1TfJO2r61dDsGPA XzElSeG/Myr2N3Y1elMSIFUWKjYXsw6OP7srgM9gfdBDb+MbYo11DgnTi3pWpaqi6uID nPsyfSboLXlESoH2+igueFTAkSlCLzfwApHx/0F4gsUldVS3hsiHkOAJGuzmRZuKS58X XjYAHN5FGNRLq1oSY3zaKe66oT9c6JqhL0sPjYXFCkXcHxy1f+D5tkeDbLRm3ZafYbw7 O9QdKrC22IAEjT4hEP0Va3WyOE0n98lfx1JR4mYGT3+c1UKVAhIiShVqbmbM3WfALmcQ PRkA== X-Received: by 10.180.183.108 with SMTP id el12mr3626563wic.55.1377296739274; Fri, 23 Aug 2013 15:25:39 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id z2sm303262wiv.11.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 15:25:38 -0700 (PDT) Message-ID: <5217EF5F.20507@gmail.com> Date: Fri, 23 Aug 2013 23:25:19 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: galtsev@kicp.uchicago.edu, freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> <5217A640.6070903@gmail.com> <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> In-Reply-To: <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 22:25:41 -0000 On 08/23/13 17:27, Valeri Galtsev wrote: > > On Fri, August 23, 2013 1:13 pm, Mike C. wrote: >> On 08/23/13 16:35, Valeri Galtsev wrote: >>> >>> On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >>>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. >>>> wrote: >>>> >>>>> >>>>> On 08/23/13 16:34, Mike C. wrote: >>>>>> Yes I know about >>>>>> >>>>>>> security.jail.allow_raw_sockets=1 >>>>>> >>>>>> Like I said I can do this with "root" just not with the user nagios, >>>>>> I >>>>> guess If raw_sockets was set to 0 on the host, I would have problems >>>>> with >>>>> any user! >>>>>> >>>>>> >>>>>> >>>>>> ---- >>>>>> Putting this in /etc/rc.conf: >>>>>> >>>>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>>>> >>>>>> does not allow every jail access to raw sockets. There is an example >>>>> in >>>>>> /etc/defaults/rc.conf. >>>>>> >>>>>> >>>>> >>>>> [EDIT: better englih... sorry typing on smartphones sucks] >>>>> >>>>> Now this is something I wasn't aware of... very nice and thanks for >>>>> the >>>>> tip on ez-jails, I'm indeed using ez-jails! >>>>> >>>>> Is there any other setting that would forbid non root users to use raw >>>>> sockets? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> >>>> Mike, >>>> >>>> Doesn't sound to me like an issue with the jail's configuration, but >>>> I'm >>>> no >>>> expert. >>>> >>>> I'm running NRPE on many jails without issue there and without any >>>> special >>>> jail configuration. >>>> >>>> Are you getting "Operation not permitted" output from the "check_http" >>>> plugin on the local system or over something like NRPE our through the >>>> Nagios configurations? >>>> >>>> Josh >> >> Local and remote but not wiht nrpe yet... I guess If I can't use >> check_http, I will hae problems with nrpe too. >> >> >>> >>> Also, try to do something simple like ping or traceroute as user nagios >>> (user for whom check_http fails) in that jail, - does that give any >>> error? >>> >> >> Iteresting I see: >> traceroute: icmp socket: Operation not permitted >> >> Same for >> ping: socket: Operation not permitted >> >> Even with root... so I guess that's the problem, but I wonder now I does >> check_http work for route? If I can't even ping... >> > > Also, for whatever reason nice per jail configuration that Scott Lambert > pointed to did not work for me, so I still had to stay with allowing raw > sockets in all jails on my boxes... Could you try that less elegant > configuration I mentioned: > > # execute the command: > > sysctl security.jail.allow_raw_sockets=1 > > # restart jail in question > > - and see if you still have raw socket problem for users in that jail. > I was using that already, but thanks for testing the other config! I haven't tried myself, because I wanted to go one step at a time! I found the problem, well the problem is me actually, the host was not setup by me, but with the use of tcpdump I was able to track this to pf.conf... The a lot of custom config in there since the system is running several jails with different types of services, web, mail etc... I tough I had allowed port 80 and even 5666 por nrpe from the jail to the internet, but I missed the nat rule, which now that I think about it makes perfect sense! I never tough about it because it was working for "root" but that's because there a pf rule for that... since root has always the same ID in every host.... So I added a table for which will be useful to populate later... and allowed port 80 for http check and 5666 for other check on the remote hosts! Sorry to have taken you guys time and thanks for the hints, will try the proposed config for raw sockets and post my results! > Thanks. > Valeri > > >> >>> Thanks. >>> Valeri >>> >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>>>