Date: Fri, 7 Dec 2001 11:56:23 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: alexus <ml@db.nexgen.com> Cc: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>, freebsd-security@freebsd.org Subject: Re: identd inside of jail Message-ID: <Pine.NEB.3.96L.1011207115316.42818E-100000@fledge.watson.org> In-Reply-To: <00d101c17e67$c8029bf0$0d00a8c0@alexus>
next in thread | previous in thread | raw e-mail | index | archive | help
What NAT package you use shouldn't make any difference inside jail on
4-STABLE: the getcred calls in question are simply not permitted from
within jail on 4.x. If you want a cheap hack to let ident work in jail,
at the cost of leaking information to the jail about connections from
outside that jail, you can modify the suser() calls in
src/sys/netinet/{tcp_subr.c,udp_subr.c} to call suser_xxx() with the
PRISON_ROOT flag set instead. The patch would look something like this:
Index: tcp_subr.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.73.2.22
diff -u -r1.73.2.22 tcp_subr.c
--- tcp_subr.c 22 Aug 2001 00:59:12 -0000 1.73.2.22
+++ tcp_subr.c 7 Dec 2001 16:56:23 -0000
@@ -910,7 +910,7 @@
struct inpcb *inp;
int error, s;
- error = suser(req->p);
+ error = suser_xxx(NULL, req->p, PRISON_ROOT);
if (error)
return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs));
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services
On Thu, 6 Dec 2001, alexus wrote:
> i've tryed ident2 .. it won't work
>
> i heard that any identd will work inside of jail if you using ipf/ipnat and
> they won't work w/ ipfw/natd
>
> are you using ipfw/natd ? or ipf/ipnat?
>
> ----- Original Message -----
> From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
> To: "alexus" <ml@db.nexgen.com>
> Cc: <freebsd-security@freebsd.org>
> Sent: Thursday, December 06, 2001 3:19 AM
> Subject: Re: identd inside of jail
>
>
> > On Thursday 06 December 2001 00:44, you wrote:
> > > did anyone sucseed on making identd (from inetd) or any other identd to
> > > work inside of jail?
> >
> > use ident2 from ports. it works fine in jail.
> >
> > --
> > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> > * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011207115316.42818E-100000>