From owner-freebsd-hackers@freebsd.org Wed Sep 4 22:23:12 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E2BB2CF9AC for ; Wed, 4 Sep 2019 22:23:12 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Nyy56qPdz3xlL for ; Wed, 4 Sep 2019 22:23:09 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id x84MMsvT067524 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 5 Sep 2019 08:22:55 +1000 (AEST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1567635775; x=1568240576; bh=WgyUr/Gy7yIu15M/jECS1G7jdDrJUvhWaGKw2ihhnJk=; h=Subject:To:From:Message-ID:Date; b=Ffewy36IEsvXMi5g7RIqNTFrBa6OvWN+oSyYoE9q3j/RUcYOwIVAFsY84m/d3azwE WquzKbfkUnU0HZiL7fD7Sps1PXOo83A02hRR7yHOn64btfuU27Zek+v0wEpARACwS4 Z01fG7HvYNee48oSGIwH9/6Vz1/8ZN/qLCxwkfmiGbfQZC0JsDFdi X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: A jail notion. To: Zaphod Beeblebrox , FreeBSD Hackers References: From: Dewayne Geraghty Openpgp: preference=signencrypt Message-ID: <84adec37-c0e8-5209-1da1-c05b77f02d82@heuristicsystems.com.au> Date: Thu, 5 Sep 2019 08:22:54 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-AU Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46Nyy56qPdz3xlL X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=fail (rsa verify failed) header.d=heuristicsystems.com.au header.s=hsa header.b=Ffewy36I; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne.geraghty@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne.geraghty@heuristicsystems.com.au X-Spamd-Result: default: False [-3.65 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_DKIM_REJECT(1.00)[heuristicsystems.com.au:s=hsa]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[heuristicsystems.com.au]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[heuristicsystems.com.au:-]; RCVD_IN_DNSWL_MED(-0.20)[115.22.41.203.list.dnswl.org : 127.0.4.2]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.98)[-0.978,0]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-1.17)[ipnet: 203.40.0.0/13(-3.87), asn: 1221(-1.99), country: AU(0.01)]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2019 22:23:12 -0000 Zaphond, I've had the same problem. Even after merging all UIDs, GIDs into the host environment (preferably with appropriate replacements of: /nonexistent:/usr/sbin/nologin), I was confronted with the same uid across multiple jails. So really "ps -o jid,pid,command" and "top -j" are useful - and it takes minor effort. However, the problem is with /var/audit logs - the subject really needs a jail id field, but that's not quite on-topic. Kerberos users still require/have a userid - either as a person (account) or an application (account); if you go this route linking heimdal and openldap work nicely - I used to use these together with pre-samba4.X but you still need an account; while post-samba3, you'll need to modify nsswitch.conf so the system can find a userid mapping. NIS was helpful but for our env, unsuitable, as we didn't want all xID's exposed in the jails. FWIW I added this to acquire jail id information in the /var/audit logs (a very long time ago-not my original idea, I just met the need) --- /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c (revision 351800) +++ /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c (working copy) @@ -172,6 +172,7 @@ fprintf(stderr, "\t\t pid=\n"); fprintf(stderr, "\t\t semid=\n"); fprintf(stderr, "\t\t shmid=\n"); + fprintf(stderr, "\t\t zone=\n"); fprintf(stderr, "\t-r : real user\n"); fprintf(stderr, "\t-u : audit user\n"); fprintf(stderr, "\t-v : select non-matching records\n"); @@ -593,6 +594,9 @@ } else if (!strcmp(name, SOCKOBJ)) { p_sockobj = val; SETOPT(opttochk, OPT_oso); + } else if (!strcmp(name, ZONEOBJ)) { + p_sockobj = val; + SETOPT(opttochk, OPT_z); } else usage("unknown value for -o"); } Index: /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h =================================================================== --- /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h (revision 351800) +++ /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h (working copy) @@ -57,6 +57,7 @@ #define OPT_u 0x00010000 #define OPT_A 0x00020000 #define OPT_v 0x00040000 +#define OPT_z 0x00080000 /* zone token */ #define FILEOBJ "file" #define MSGQIDOBJ "msgqid" @@ -64,6 +65,7 @@ #define SEMIDOBJ "semid" #define SHMIDOBJ "shmid" #define SOCKOBJ "sock" +#define ZONEOBJ "zonename" /* aka jail */