Date: Tue, 3 Jun 2014 09:44:52 +0200 (CEST) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> To: Beeblebrox <zaphod@berentweb.com> Cc: freebsd-current@freebsd.org Subject: Re: jail sockstat shows gdnc, gdomap, casperd as enabled Message-ID: <alpine.BSF.2.00.1406030942300.32596@mail.fig.ol.no> In-Reply-To: <1401778952788-5917302.post@n5.nabble.com> References: <1401778952788-5917302.post@n5.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Jun 2014 00:02-0700, Beeblebrox wrote: > Some (not all) of my jails show gdnc, gdomap & casperd services with sockstat > listing. The jails that show these services have /usr/local mounted as ro to > jailname/usr/local. > > root gdnc 1433 5 stream /tmp/GNUstepSecure0/NSMessagePort/ports/1433.0 > nobody gdomap 1378 3 udp4 192.168.2.50:538 *:* > nobody gdomap 1378 4 tcp4 192.168.2.50:538 *:* These two are related to GNUstep. If your jails don't run GNUstep, why is GNUstep installed in the first place? http://www.gnustep.org/resources/documentation/Developer/Tools/Reference/gdnc.html http://www.gnustep.org/resources/documentation/Developer/Tools/Reference/gdomap.html > root casperd 1149 3 dgram -> /var/run/logpriv > root casperd 1149 4 stream -> ?? > root casperd 1149 6 stream /var/run/casper > root casperd 1148 5 stream -> ?? casperd is part of capsicum. You should probably keep this one. http://www.cl.cam.ac.uk/research/security/capsicum/freebsd.html -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-current@FreeBSD.ORG Tue Jun 3 08:00:38 2014 Return-Path: <owner-freebsd-current@FreeBSD.ORG> Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 96D99F45 for <freebsd-current@freebsd.org>; Tue, 3 Jun 2014 08:00:38 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7499B2992 for <freebsd-current@freebsd.org>; Tue, 3 Jun 2014 08:00:38 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from <zaphod@berentweb.com>) id 1Wrje9-0000rb-FL for freebsd-current@freebsd.org; Tue, 03 Jun 2014 01:00:37 -0700 Date: Tue, 3 Jun 2014 01:00:37 -0700 (PDT) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-current@freebsd.org Message-ID: <CAPSTskvinNHikXn3R+nsA+Cg8Dvy39TUkFj5JgFeJnOrOYv8kA@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1406030942300.32596@mail.fig.ol.no> References: <1401778952788-5917302.post@n5.nabble.com> <alpine.BSF.2.00.1406030942300.32596@mail.fig.ol.no> Subject: Re: jail sockstat shows gdnc, gdomap, casperd as enabled MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>; List-Post: <mailto:freebsd-current@freebsd.org> List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 03 Jun 2014 08:00:38 -0000 Hi Trond, These two are related to GNUstep. If your jails don't run GNUstep, why > is GNUstep installed in the first place? > I know that they are related to GNUstep (although I have no idea what GNUstep actually does other than act as a messaging system probably like dbus). Anyway, I don't understand how & why they start up and that's exactly my question. The only insight I can provide, is that /usr/local is null_mounted on to jail/usr/local, but that should not really have this effect. > casperd is part of capsicum. You should probably keep this one. > I figured as much re capsicum. So the question becomes "should all jails be running capsicum in this case"? Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/jail-sockstat-shows-gdnc-gdomap-casperd-as-enabled-tp5917302p5917311.html Sent from the freebsd-current mailing list archive at Nabble.com. From owner-freebsd-current@FreeBSD.ORG Tue Jun 3 08:12:13 2014 Return-Path: <owner-freebsd-current@FreeBSD.ORG> Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE07B437 for <freebsd-current@freebsd.org>; Tue, 3 Jun 2014 08:12:13 +0000 (UTC) Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cloud.theravensnest.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 868362B11 for <freebsd-current@freebsd.org>; Tue, 3 Jun 2014 08:12:13 +0000 (UTC) Received: from [192.168.0.96] (cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net [82.26.1.52]) (authenticated bits=0) by theravensnest.org (8.14.7/8.14.7) with ESMTP id s538C949067789 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 3 Jun 2014 08:12:11 GMT (envelope-from theraven@FreeBSD.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: jail sockstat shows gdnc, gdomap, casperd as enabled From: David Chisnall <theraven@FreeBSD.org> In-Reply-To: <CAPSTskvinNHikXn3R+nsA+Cg8Dvy39TUkFj5JgFeJnOrOYv8kA@mail.gmail.com> Date: Tue, 3 Jun 2014 09:12:02 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <9A0F870A-0DF1-4C02-A0EB-5D23A730191D@FreeBSD.org> References: <1401778952788-5917302.post@n5.nabble.com> <alpine.BSF.2.00.1406030942300.32596@mail.fig.ol.no> <CAPSTskvinNHikXn3R+nsA+Cg8Dvy39TUkFj5JgFeJnOrOYv8kA@mail.gmail.com> To: Beeblebrox <zaphod@berentweb.com> X-Mailer: Apple Mail (2.1874) Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>; List-Post: <mailto:freebsd-current@freebsd.org> List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 03 Jun 2014 08:12:13 -0000 On 3 Jun 2014, at 09:00, Beeblebrox <zaphod@berentweb.com> wrote: > I know that they are related to GNUstep (although I have no idea what > GNUstep actually does other than act as a messaging system probably = like > dbus). Anyway, I don't understand how & why they start up and that's > exactly my question. The only insight I can provide, is that = /usr/local is > null_mounted on to jail/usr/local, but that should not really have = this > effect. gdomap is the service that GNUstep uses for distributed objects. gdnc is the service that GNUstep uses for distributed (broadcast) = notifications. They are both started on demand. If they're running in your jail, then = it most likely means that something inside your jail has started them. Both gdomap and gdnc are intended to allow messaging between computers = on the local network and so will bind to a public IP. Given that = neither of them has had any kind of serious security auditing (or even = anyone trying to fuzz their parsers), I'd strongly recommend firewalling = them off from the outside world. David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1406030942300.32596>