Quoting Ivan Voras <ivo...@freebsd.org> (from Mon, 30 Nov 2009
16:14:40 +0100):
xorquew...@googlemail.com wrote:
On 2009-11-30 15:43:01, Ivan Voras wrote:
xorquew...@googlemail.com wrote:
76030 initial thread STRU struct sockaddr { AF_LOCAL,
/tmp/jack-11001/default/jack_0 }
76030 initial thread NAMI "/tmp/jack-11001/default/jack_0"
76030 initial thread RET connect -1 errno 61 Connection refused
I would expect to see this result from the jail since it's
obviously a Bad Idea, but does it work from the same (host) machine
It is not a bad idea, at least not if we talk about mounting something
from JailA to JailB. Think about the MySQL socket. I have a jail with
MySQL, and I have a jail which wants to connect to it. I do not want
to allow network connections between those jails (be it for
performance reasons, or that I do not want to involve a network
connection, or that I do not want to give the MySQL jail an IP at all
or whatever).
Solution: give access to the socket via the FS. Ideally by putting the
socket in its own directory and mounting this directory over to the
jail. A workaround for this scenario is below.
without the jail in between (i.e. just the nullfs, no jails)?
Hm, yes, you're right. It does work without a jail involved.
What's the sane solution, then, when the only method of communication
is unix domain sockets?
It is a security problem. I think the long-term solution would be to
It is a risk-management problem, and as such not the responsability of
FreeBSD to enforce it. If the sysadmin wants to shoot in his foot, it
is his decision.
add a sysctl analogous to security.jail.param.securelevel to handle this.
Do you know the code which is responsible for the reject of access to
the socket? If yes I can provide a patch regarding jail.param.something.
I don't think there is a workaround right now.
My workaround with MySQL is to have the jail and the socket in the
same FS (I would prefer to have them on separate FS). Then you can do
a hardlink of the socket into the jail (obviously after each restart
of the software, but this can be scripted). This works for me.
Bye,
Alexander.
--
You are capable of planning your future.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"