From owner-freebsd-security Fri Dec 7 8:57: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 84A8F37B416 for ; Fri, 7 Dec 2001 08:56:56 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fB7GuNi44030; Fri, 7 Dec 2001 11:56:23 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 7 Dec 2001 11:56:23 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: alexus Cc: Przemyslaw Frasunek , freebsd-security@freebsd.org Subject: Re: identd inside of jail In-Reply-To: <00d101c17e67$c8029bf0$0d00a8c0@alexus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What NAT package you use shouldn't make any difference inside jail on 4-STABLE: the getcred calls in question are simply not permitted from within jail on 4.x. If you want a cheap hack to let ident work in jail, at the cost of leaking information to the jail about connections from outside that jail, you can modify the suser() calls in src/sys/netinet/{tcp_subr.c,udp_subr.c} to call suser_xxx() with the PRISON_ROOT flag set instead. The patch would look something like this: Index: tcp_subr.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_subr.c,v retrieving revision 1.73.2.22 diff -u -r1.73.2.22 tcp_subr.c --- tcp_subr.c 22 Aug 2001 00:59:12 -0000 1.73.2.22 +++ tcp_subr.c 7 Dec 2001 16:56:23 -0000 @@ -910,7 +910,7 @@ struct inpcb *inp; int error, s; - error = suser(req->p); + error = suser_xxx(NULL, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Thu, 6 Dec 2001, alexus wrote: > i've tryed ident2 .. it won't work > > i heard that any identd will work inside of jail if you using ipf/ipnat and > they won't work w/ ipfw/natd > > are you using ipfw/natd ? or ipf/ipnat? > > ----- Original Message ----- > From: "Przemyslaw Frasunek" > To: "alexus" > Cc: > Sent: Thursday, December 06, 2001 3:19 AM > Subject: Re: identd inside of jail > > > > On Thursday 06 December 2001 00:44, you wrote: > > > did anyone sucseed on making identd (from inetd) or any other identd to > > > work inside of jail? > > > > use ident2 from ports. it works fine in jail. > > > > -- > > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > > * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message