Date: Sun, 16 Mar 2003 19:56:41 -0500 From: Jared Mauch <jared@puck.nether.net> To: Mooneer Salem <mooneer@translator.cx> Cc: Jared Mauch <jared@puck.nether.net>, freebsd-hackers@freebsd.org Subject: Re: jail support for ping, traceroute, etc.. crude hack Message-ID: <20030317005641.GA8288@puck.nether.net> In-Reply-To: <FHEMJMOKKMJDGKFOHHEPIEELFIAA.mooneer@translator.cx> References: <20030316211400.GE32478@puck.nether.net> <FHEMJMOKKMJDGKFOHHEPIEELFIAA.mooneer@translator.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 16, 2003 at 02:30:36PM -0800, Mooneer Salem wrote: > Hello, > > This patch is interesting. To my understanding though, ipfw uses RAW sockets > to communicate with the kernel. Therefore, it might be possible to edit the > ipfw table from within the jail, which may be a bad thing. Just a thought. At least in this environment I do not expect to be using IPFW, but this could be something to watch out for in other environments.. When i was looking at this i was somewhat frustated with the way suser() doesn't really allow any sort of a context-of-check to happen easily that i was able to find. ie, was it for a networking check, filesystem, etc.. so my first stab at this ended up with every user being able to do raw ip packets which was bad.. i ended up doing the p->p_prison save hack instead to get the result then applied the prison policy there. Something that i would have no idea where to start on but am interested in doing is also extending the jail support to include IPv6 in addition to the IPv4 sockets but that can cause some issues in an eui-64 environment.. personally i dislike eui-64 as if you change the ethernet card (which i tend to swap out periodically as i need to take a card out of my desktop to match up with dual-nic cards in other machines) it renumbers you. - jared > -----Original Message----- > From: owner-freebsd-hackers@FreeBSD.ORG > [mailto:owner-freebsd-hackers@FreeBSD.ORG]On Behalf Of Jared Mauch > Sent: Sunday, March 16, 2003 1:14 PM > To: freebsd-hackers@freebsd.org > Subject: jail support for ping, traceroute, etc.. crude hack > > > > so, i am working on building a "super-server" for me > and several friends to collaborate with on the money front > to put our machine in a colo location, etc.. and still have good > access to networking resources. > > as a result, i needed to modify the FreeBSD kernel such > that it will allow us to use ping, traceroute and other tools. > > obviously we know there will be some underlying security > issues associated but we are sophisticated to understand the > nature of these and they are an 'acceptable' situation. > > my diffs are available at > > http://puck.nether.net/~jared/fbsd-4.8-rc1-diff-jail-raw_ip.txt > and are against the 4.8-rc1 /usr/src/sys tree > > yeah, they're crude but it gets the desired job done. there > is a sysctl to control it, so if its not the desired operation > it can be easily tweaked. > > send me comments. > > enjoy, > > - jared > > -- > Jared Mauch | pgp key available via finger from jared@puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only mine. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > > > > -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030317005641.GA8288>