Quoting Ivan Voras <ivo...@freebsd.org> (from Mon, 30 Nov 2009 16:14:40 +0100):

xorquew...@googlemail.com wrote:
On 2009-11-30 15:43:01, Ivan Voras wrote:
xorquew...@googlemail.com wrote:
76030 initial thread STRU struct sockaddr { AF_LOCAL, /tmp/jack-11001/default/jack_0 }
76030 initial thread NAMI  "/tmp/jack-11001/default/jack_0"
76030 initial thread RET   connect -1 errno 61 Connection refused
I would expect to see this result from the jail since it's obviously a Bad Idea, but does it work from the same (host) machine

It is not a bad idea, at least not if we talk about mounting something from JailA to JailB. Think about the MySQL socket. I have a jail with MySQL, and I have a jail which wants to connect to it. I do not want to allow network connections between those jails (be it for performance reasons, or that I do not want to involve a network connection, or that I do not want to give the MySQL jail an IP at all or whatever).

Solution: give access to the socket via the FS. Ideally by putting the socket in its own directory and mounting this directory over to the jail. A workaround for this scenario is below.

without the jail in between (i.e. just the nullfs, no jails)?

Hm, yes, you're right. It does work without a jail involved.

What's the sane solution, then, when the only method of communication
is unix domain sockets?

It is a security problem. I think the long-term solution would be to

It is a risk-management problem, and as such not the responsability of FreeBSD to enforce it. If the sysadmin wants to shoot in his foot, it is his decision.

add a sysctl analogous to security.jail.param.securelevel to handle this.

Do you know the code which is responsible for the reject of access to the socket? If yes I can provide a patch regarding jail.param.something.

I don't think there is a workaround right now.

My workaround with MySQL is to have the jail and the socket in the same FS (I would prefer to have them on separate FS). Then you can do a hardlink of the socket into the jail (obviously after each restart of the software, but this can be scripted). This works for me.

Bye,
Alexander.

--
You are capable of planning your future.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"

Reply via email to