Date: Wed, 21 May 2003 18:02:37 +0200 From: "Tom Dymond - Ipnoz" <tom@ipnoz.com> To: <freebsd-security@freebsd.org> Subject: netstat/ipcs inside jail Message-ID: <018801c31fb2$663cb480$0801a8c0@xtom>
next in thread | raw e-mail | index | archive | help
Hi, i've got this problem with my jail and i'm abolutly lost as in the why
of it.
I previously posted this on comp.unix.bsd.freebsd.misc but i was advised to
send here
I was unable to find help on google :(
To resume quick, when i'm in a jail, netstat doesn't work properly.
Hopefully i have provided sufficient information for anyone willing to help
me :p
First of all, my system :
FreeBSD cube.kmem.org 4.8-STABLE FreeBSD 4.8-STABLE #6: Tue May 20 22:22:47
CEST 2003 root@cube.kmem.org:/usr/obj/usr/src/sys/ruby2 i386
System was updated, mergemaster done, kernel in sync with world.
The interfaces par of my rc.conf from the host :
ifconfig_rl1="inet 10.0.2.1 netmask 255.255.255.0"
ifconfig_rl1_alias0="inet 10.0.2.6 netmask 0xffffffff"
route_0="10.0.2.6 -iface lo0"
inetd_flags="-wW -a 10.0.2.1"
portmap_enable="NO"
---
- my sysctls for the jail are set as follows and are loaded by
/etc/sysctl.conf
> sysctl -a | grep jail
jail.set_hostname_allowed: 0
jail.socket_unixiproute_only: 0
jail.sysvipc_allowed: 1
- my kernel is compiled with these options
> grep SYSV ruby2
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
- df looks like this :
> df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/ar0s1a 128990 47838 70834 40% /
/dev/ar0s1f 1032142 16 949556 0% /tmp
/dev/ar0s1g 74232392 36708258 31585544 54% /usr
/dev/ar0s1e 1032142 22036 927536 2% /var
procfs 4 4 0 100% /proc
procfs 4 4 0 100%
/usr/home/jail/10.0.2.6/proc
- jail is loaded by /usr/local/etc/rc.d by these 2 commands :
mount -t procfs proc /usr/home/jail/10.0.2.6/proc
jail /usr/home/jail/10.0.2.6 jail.kmem.org 10.0.2.6 /bin/sh /etc/rc
- when i'm out of jail and i do this :
> ipcs -a
i get this :
Message Queues:
T ID KEY MODE OWNER GROUP CREATOR CGROUP CBYTES
QNUM QBYTES LSPID LRPID STIME RTIME CTIME
Shared Memory:
T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH
SEGSZ CPID LPID ATIME DTIME CTIME
m 6946816 0 --rw------- tom tom tom tom 2
196608 3414 3380 9:59:36 10:50:07 9:59:36
Semaphores:
T ID KEY MODE OWNER GROUP CREATOR CGROUP NSEMS
OTIME CTIME
however, if i'm in the jail and i do the same command, i get this :
ipcs: short read
SVID messages facility not configured in the system
ipcs: short read
SVID shared memory facility not configured in the system
ipcs: short read
SVID semaphores facility not configured in the system
if I launch a netstat inside a jail, I get a unlimited amount of lines that
look like this, until I ^C
netstat: short read
netstat: short read
netstat: short read
...
The rc.conf of the jail :
hostname="jail.kmem.org"
portmap_enable="NO"
network_interfaces=""
sshd_enable="YES"
sendmail_enable="NO"
inetd_flags="-wW -a 10.0.2.6"
- this is what ifconfig looks like OUT of jail :
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1
ether 00:50:8d:47:e5:67
media: Ethernet autoselect (10baseT/UTP)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255
inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2
inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6
ether 00:50:fc:47:84:38
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
vlan0: flags=0<> mtu 1500
ether 00:00:00:00:00:00
vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 81.50.114.213 --> 81.50.114.1 netmask 0xffffff00
Opened by PID 68
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa
inet 10.0.2.1 --> 10.0.3.1 netmask 0xff000000
Opened by PID 258
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.1 --> 192.168.1.1 netmask 0xff000000
inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb
Opened by PID 3290
- this is what ifconfig looks like IN the jail :
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1
ether 00:50:8d:47:e5:67
media: Ethernet autoselect (10baseT/UTP)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2
inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6
ether 00:50:fc:47:84:38
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
vlan0: flags=0<> mtu 1500
ether 00:00:00:00:00:00
vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
Opened by PID 68
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa
Opened by PID 258
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb
Opened by PID 3290
-->
when i built the jail, i cvsupped the stable branch, then i followed the
prodedure described in man jail.
i then rebuilt my kernel
maybe i'm missing a device in the jail, maybe i have a route problem. maybe
it's the absence of the loopback ..
i'm not sure what to look for really.
i rebuilt the world on the host with exactly the same sources as the jail,
all is sync.
-->
With putty's logging feature i managed to grab this :
netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 52 jail.ssh ALyon-209-2-1-2..2484
ESTABLISHED
tcp4 0 0 jail.smtp *.* LISTEN
tcp4 0 0 jail.ssh *.* LISTEN
tcp4 0 0 jail.telnet *.* LISTEN
tcp4 0 0 jail.domain *.* LISTEN
udp4 0 0 jail.syslog *.*
udp4 0 0 jail.ntp *.*
udp4 0 0 jail.domain *.*
netstat: short read
netstat: short read
netstat: short read
.....(goes on for miles and miles if i dont ^C)
just in case : kmem and the kernel are linked to the jails dev/null
cube# ll /usr/home/jail/10.0.2.6/dev/kmem
lrwx------ 1 root wheel 4 May 21 17:05
/usr/home/jail/10.0.2.6/dev/kmem -> null
cube# ll /usr/home/jail/10.0.2.6/kernel
lrwxr-xr-x 1 root wheel 8 May 17 17:08 /usr/home/jail/10.0.2.6/kernel ->
dev/null
-----
Thanks in avance for any possible help
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?018801c31fb2$663cb480$0801a8c0>