On Fri, August 23, 2013 1:13 pm, Mike C. wrote: > On 08/23/13 16:35, Valeri Galtsev wrote: >> >> On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. <miguelmcl...@gmail.com> >>> wrote: >>> >>>> >>>> On 08/23/13 16:34, Mike C. wrote: >>>>> Yes I know about >>>>> >>>>>> security.jail.allow_raw_sockets=1 >>>>> >>>>> Like I said I can do this with "root" just not with the user nagios, >>>>> I >>>> guess If raw_sockets was set to 0 on the host, I would have problems >>>> with >>>> any user! >>>>> >>>>> >>>>> >>>>> ---- >>>>> Putting this in /etc/rc.conf: >>>>> >>>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>>> >>>>> does not allow every jail access to raw sockets. There is an example >>>> in >>>>> /etc/defaults/rc.conf. >>>>> >>>>> >>>> >>>> [EDIT: better englih... sorry typing on smartphones sucks] >>>> >>>> Now this is something I wasn't aware of... very nice and thanks for >>>> the >>>> tip on ez-jails, I'm indeed using ez-jails! >>>> >>>> Is there any other setting that would forbid non root users to use raw >>>> sockets? >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>> Mike, >>> >>> Doesn't sound to me like an issue with the jail's configuration, but >>> I'm >>> no >>> expert. >>> >>> I'm running NRPE on many jails without issue there and without any >>> special >>> jail configuration. >>> >>> Are you getting "Operation not permitted" output from the "check_http" >>> plugin on the local system or over something like NRPE our through the >>> Nagios configurations? >>> >>> Josh > > Local and remote but not wiht nrpe yet... I guess If I can't use > check_http, I will hae problems with nrpe too. > > >> >> Also, try to do something simple like ping or traceroute as user nagios >> (user for whom check_http fails) in that jail, - does that give any >> error? >> > > Iteresting I see: > traceroute: icmp socket: Operation not permitted > > Same for > ping: socket: Operation not permitted > > Even with root... so I guess that's the problem, but I wonder now I does > check_http work for route? If I can't even ping... >
Also, for whatever reason nice per jail configuration that Scott Lambert pointed to did not work for me, so I still had to stay with allowing raw sockets in all jails on my boxes... Could you try that less elegant configuration I mentioned: # execute the command: sysctl security.jail.allow_raw_sockets=1 # restart jail in question - and see if you still have raw socket problem for users in that jail. Thanks. Valeri > >> Thanks. >> Valeri >> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" >>> >> >> >> ++++++++++++++++++++++++++++++++++++++++ >> Valeri Galtsev >> Sr System Administrator >> Department of Astronomy and Astrophysics >> Kavli Institute for Cosmological Physics >> University of Chicago >> Phone: 773-702-4247 >> ++++++++++++++++++++++++++++++++++++++++ >> > > > -- > Melhores Cumprimentos // Best Regards > ------------------------------------------------------------------------ > Miguel Clara > *nix Sys Admin Freelance > > > > http://www.linkedin.com/in/miguelmclara/ > Mike_C_PT <https://twitter.com/Mike_C_PT> > http://about.me/miguelmclara > ------------------------------------------------------------------------ > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"