Josef, On Thu, Feb 15, 2007 at 03:22:59PM +0000, Josef Karthauser wrote: > On Thu, Feb 15, 2007 at 02:57:50PM +0100, Jeremie Le Hen wrote: > > > > Note that all processes within a jail can only intefere with processes > > from another jail or host as if they were on different machines. This > > means they can communicate through PF_INET for instance but not > > PF_LOCAL. > > > > [...] > > So how does this relate to jails? > > The point of using nullfs is to make a PF_LOCAL socket appear local > even in the jail(!). Using the patch above this is indeed the case > and as far as the jail is concerned the socket is indeed local, > meaning that a process within a jail can talk via it to a process > on the host environment with no restrictions. This is crucially > important for mysql for instance as there is significant overhead > associated with PF_INET connections which can be avoided by talking > to PF_LOCAL sockets.
I was wrong, you are right. I was pretty sure the kernel retained the credentials of the listening process and that trying to connect to the latter using a process that has a mismatching jail ID would fail. On term #1: % jarjarbinks:~:103# nc -U -l /usr/space/chroot/tmp/mysock On term #2: % jarjarbinks:/usr/src:102# echo "I won't speak before testing" | jail /usr/space/chroot test 192.168.1.3 /usr/bin/nc -U /tmp/mysock On term #1! % I won't speak before testing Sorry for the noise. At least, I rekindled the thread :-). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
