Philipp Wuensche wrote: > Raphael H. Becker wrote: >> Hi *, >> >> I recently triggered an error when setting up a jail-host: I configured >> the jail(s) like evry jail I set up in the past: > > Yes, this is a bug in rc.d/jail and was introduced in this change: > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=1.31&r2=1.32. > > When a jail fails to start, in your case a broken rc.conf in the jail, > the jail is stopped and the ipaddr-alias is unconfigured from the > interface with the following command: ifconfig ${jail_interface} -alias > ${jail_ip} > > Unfortunately in the change above the variables were renamed to > _interface and _ip, this leads to ifconfig getting executed without a > specified ipaddr. and therefore the first alias is unconfigured, which > is in most cases the ipaddr. you are having access to the remote host. > > ${jail_interface} is only the correct interface out of luck, so it > should be changed to _interface too. > > I think the correct way would be to call jail_stop() instead of doing > the cleanup by hand but in the current implementation this would leave > the ipaddr-alias configured on the interface. > > I think I already mentioned once that I don't like this interface and > ipaddr. configuration feature in rc.d/jail at all. > > Anyway, the quick fix is trivial and should be included in 6.2. > Otherwise we have a possible DoS security problem with the new release. > > --- rc.d/jail.old Fri Dec 22 03:09:27 2006 > +++ rc.d/jail Fri Dec 22 03:10:07 2006 > @@ -228,8 +228,8 @@ > echo ${_jail_id} > /var/run/jail_${_jail}.id > else > jail_umount_fs > - if [ -n "${jail_interface}" ]; then > - ifconfig ${jail_interface} > -alias ${jail_ip} > + if [ -n "${_interface}" ]; then > + ifconfig ${_interface} -alias ${_ip} > fi > echo " cannot start jail \"${_jail}\": " > tail +2 ${_tmp_jail}
Patch looks good. Would be indeed nice to have this fixed before 6.2R is released. -- Florent Thoumie [EMAIL PROTECTED] FreeBSD Committer
signature.asc
Description: OpenPGP digital signature
