Date: Fri, 23 Aug 2013 18:13:20 +0000 From: "Mike C." <miguelmclara@gmail.com> To: galtsev@kicp.uchicago.edu Cc: freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) Message-ID: <5217A640.6070903@gmail.com> In-Reply-To: <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <CAHDrHSuupiWJxAw3arOas1UNCSm_5iqqxn2_eCt84KFiE8wwVA@mail.gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/23/13 16:35, Valeri Galtsev wrote:
>
> On Fri, August 23, 2013 11:31 am, Josh Beard wrote:
>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. <miguelmclara@gmail.com> wrote:
>>
>>>
>>> On 08/23/13 16:34, Mike C. wrote:
>>>> Yes I know about
>>>>
>>>>> security.jail.allow_raw_sockets=1
>>>>
>>>> Like I said I can do this with "root" just not with the user nagios, I
>>> guess If raw_sockets was set to 0 on the host, I would have problems
>>> with
>>> any user!
>>>>
>>>>
>>>>
>>>> ----
>>>> Putting this in /etc/rc.conf:
>>>>
>>>> jail_${JailName}_parameters="allow.raw_sockets=1"
>>>>
>>>> does not allow every jail access to raw sockets. There is an example
>>> in
>>>> /etc/defaults/rc.conf.
>>>>
>>>>
>>>
>>> [EDIT: better englih... sorry typing on smartphones sucks]
>>>
>>> Now this is something I wasn't aware of... very nice and thanks for the
>>> tip on ez-jails, I'm indeed using ez-jails!
>>>
>>> Is there any other setting that would forbid non root users to use raw
>>> sockets?
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>> Mike,
>>
>> Doesn't sound to me like an issue with the jail's configuration, but I'm
>> no
>> expert.
>>
>> I'm running NRPE on many jails without issue there and without any special
>> jail configuration.
>>
>> Are you getting "Operation not permitted" output from the "check_http"
>> plugin on the local system or over something like NRPE our through the
>> Nagios configurations?
>>
>> Josh
Local and remote but not wiht nrpe yet... I guess If I can't use
check_http, I will hae problems with nrpe too.
>
> Also, try to do something simple like ping or traceroute as user nagios
> (user for whom check_http fails) in that jail, - does that give any error?
>
Iteresting I see:
traceroute: icmp socket: Operation not permitted
Same for
ping: socket: Operation not permitted
Even with root... so I guess that's the problem, but I wonder now I does
check_http work for route? If I can't even ping...
> Thanks.
> Valeri
>
>> _______________________________________________
>> freebsd-jail@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>>
>
>
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
>
--
Melhores Cumprimentos // Best Regards
------------------------------------------------------------------------
Miguel Clara
*nix Sys Admin Freelance
http://www.linkedin.com/in/miguelmclara/
Mike_C_PT <https://twitter.com/Mike_C_PT>;
http://about.me/miguelmclara
------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5217A640.6070903>