jails and X forwarding
Hiya, I am trying to allow a jail to do X forwarding ala ssh -Y, but seem to be missing something. I have narrowed it down to something with the jail, having successfully done this with non-jails. IOW, sshd_config has "X11Forwarding yes" etc. The system is fbsd 9.2-STABLE. The jail is set up using ezjail. I have tweaked various jail sysctl settings in case there was something there I was missing. I disabled the firewall rules to removed potential interference from that angle. All to no avail. I keep getting ye olde xclock X11 connection rejected because of wrong authentication. Error: Can't open display: localhost:10.0 What am I missing? -- Randy(schu...@earlham.edu) 765.983.1283 <*> Hatred does not cease by hatred, but only by love; this is the eternal rule. - Siddhartha Gautama ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
RE: jails and X forwarding
On Fri, 21 Mar 2014, dte...@freebsd.org wrote: -} -}> I am trying to allow a jail to do X forwarding ala ssh -Y, but seem to be -}missing -}> something. I have narrowed it down to something with the jail, having -}> successfully done this with non-jails. IOW, sshd_config has -}"X11Forwarding -}> yes" etc. The system is fbsd 9.2-STABLE. The jail is set up using -}ezjail. I have -}> tweaked various jail sysctl settings in case there was something there I -}was -}> missing. I disabled the firewall rules to removed potential interference -}from -}> that angle. All to no avail. I keep getting ye olde -}> -}> xclock -}> X11 connection rejected because of wrong authentication. -}> Error: Can't open display: localhost:10.0 -}> -}> What am I missing? -}> -}[Devin Teske] -} -}Try installing xauth. Ah, I had already done that: Dude ? pkg_info|egrep xauth xauth-1.0.8 X authority file utility -- Randy(schu...@earlham.edu) 765.983.1283 <*> Hatred does not cease by hatred, but only by love; this is the eternal rule. - Siddhartha Gautama ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
security bug or operator "misunderstanding", and a query
Hey all, I've been messing around with, and liking, jails. I had a weird thing happen tho' that I cannot explain, and seems to violate the concept of jail. I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: jail_list="ntpjail" jail_ntpjail_rootdir=/usr/local/jails/jail1 jail_ntpjail_hostname=ntpjail.earlham.edu jail_ntpjail_ip=192.168.1.59 jail_ntpjail_interface=bge1 jail_ntpjail_devfs_enable="YES" The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules, and no tweaks are in sysctl.conf. When I have the parent/jail up and running, ntpd not running on the parent, if I kick off ntpd in the jail, it actually kicks off ntpd in the parent then barks with "address already in use". Now, I understand the "address already in use" part, but how can starting something in the jail affect anything on the parent? I thought the 2 were more separated than that. I'm trying to get to a setup where ntp on the parent sets the system time but doesn't answer any queries, and ntp in the jail answers the time queries. If anybody has any thoughts on whether or not this is even possible(short of recoding part of ntp ;) or possible avenues of investigation, pls let me know. Tnx. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: security bug or operator "misunderstanding", and a query
On Wed, 15 Aug 2007, Bill Moran spaketh thusly: -}In response to Randy Schultz <[EMAIL PROTECTED]>: -} -}> Hey all, -}> -}> I've been messing around with, and liking, jails. I had a weird thing happen -}> tho' that I cannot explain, and seems to violate the concept of jail. -}> -}> I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor -}> ports like sudo). The jail setup is AFAIK standard, e.g. rc.conf has: -}> -}> jail_list="ntpjail" -}> -}> jail_ntpjail_rootdir=/usr/local/jails/jail1 -}> jail_ntpjail_hostname=ntpjail.earlham.edu -}> jail_ntpjail_ip=192.168.1.59 -}> jail_ntpjail_interface=bge1 -}> jail_ntpjail_devfs_enable="YES" -}> -}> The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules, -}> and no tweaks are in sysctl.conf. -}> -}> When I have the parent/jail up and running, ntpd not running on the parent, if -}> I kick off ntpd in the jail, it actually kicks off ntpd in the parent then -}> barks with "address already in use". -} -}By design, a jail can not start a process on the host. If you are actually -}able to demonstrate this behaviour, many would be interested because it -}would constitute a serious bug. Yup, you're right. Today I took some time to more slowly go through the steps. What I missed before was the "J" in the state field of the ps command, signifying the jailed process. False alarm. Sorry 'bout that. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
djbdns on 1270.0.1 in a jail problem
Heya, Playing around with jails and have run across something weird, I was wondering if somebody could explain. I'm trying to get djbdns to run inside the jail, with tinydns running on 127.0.0.1. The thing I cannot figure out is why tinydns always comes up on the jail's IP address, and not lo0, as reported by sockstat: Root Dude ? sockstat -l USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 863 3 tcp4 159.28.1.59:22*:* tinydns tinydns862 3 udp4 159.28.1.59:53*:* root syslogd800 4 dgram /var/run/log root syslogd800 5 dgram /var/run/logpriv root syslogd800 6 udp4 159.28.1.59:514 *:* root sshd 638 3 tcp4 159.28.1.66:22*:* root syslogd530 4 dgram /var/run/log root syslogd530 5 dgram /var/run/logpriv root syslogd530 6 udp6 *:514 *:* root syslogd530 7 udp4 *:514 *:* root devd 464 4 stream /var/run/devd.pipe My setup(really just a standard install) runs fine on a non-jailed system, tinydns comes up on 127.0.0.1. The jail does have the correct env setting: [EMAIL PROTECTED] /]# cat /service/tinydns/env/IP 127.0.0.1 At first I thought it was because lo0 was not in /dev in the jail. I've gone as far as unhiding *everything* in /dev via: Root Dude ? cat /etc/devfs.rules [test_unhide_all=5] add include $devfsrules_jail add unhide This indeed worked as the jail now has everything in it's /dev. Grasping at straws, I've also tweaked sysctl settings for jails: Root Dude ? sysctl -a|egrep jail security.jail.jailed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.enforce_statfs: 2 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 I know it's just something simple I'm missing/glossed over while reading but could somebody pls point me in the general direction of why 127.0.0.1 appears to be unavailable, or where I could read up on how to get it to work? Tnx. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: djbdns on 1270.0.1 in a jail problem
On Tue, 2 Oct 2007, Alain Wolf spaketh thusly: -}Hi Randy, -} -}I fell in the same hole on my first setup. -}There is no such thing as 127.0.0.1 in a FreeBSD Jail. -}There is just the IP, which the Jail is configured for. -}I am not a developer, but as far as I understand, a Jail and its IP, is -}some kind of virtualization, which can not contain any virtualized -}environment inside itself again. At least not in 6.x -} -}So it looks that 127.0.0.1 would be an additional IP like any other one, -}which is NOT possible in FreeBSD Jails. -} -}I read promising things about a fully virtualized IP environment in -}FreeBSD 7.x, where we can do a lot more than this, but we have to wait for -}that. -} -}After I realized that, I redesigned my plans and I liked them even better. -}My DJB-DNS setup is now as follows, and works flawless. -} -}dnscache runs in its own Jail in every physical machine, caching DNS -}queries for all other Jails on the same machine. -} -}Two copies of TinyDNS run each in its own Jail too. Providing a (rather -}expensive) Split-Horizon DNS Solution. -} -}Hope this helps Indeed it does. Tnx heaps and loads Alain. Now I can stop focusing on getting tinydns to work on 127.0.0.1 in the jails and investigate alternatives to do what we need to do(probably quite similar to what you've outlined). Woo-hoo! Ah do love freebsd and the wonderful people on these lists. Later gators. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
jailed time
Has anybody ever set up a time server in a jail? My goal is to have something serving the time, not actually setting the time, out of the jail. The system clock is sync'd via other means. Unfortunately, ntpd and crew really want to mess with the system clock. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> freebsd: what linux people use when they grow up. ;> ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ypserv in a jail?
Anybody ever set up a NIS server in a jail? I'm running a jail on a 6.2 system. When I run ypserv on the parent things work great. When I shut down ypserv on the parent and bring it up in the jail, it comes up fine but never answers any of the broadcasts. I have ruled out any firewalling. I have also tried forcing ypbind to look directly at the jailed ypserv with the -S option. That was ineffective. I have toyed with sysctl variables and have gone as far as: security.jail.allow_raw_sockets=1 security.jail.sysvipc_allowed=1 security.jail.set_hostname_allowed=1 security.jail.socket_unixiproute_only=0 Doign a ps on the parent shows the jailed ypserv, sockstat shows ypserv listening on the ports. Thoughts on what I'm missing? -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
visudo non-functional in 7.0-RELEASE jail
Heya,
Been using jails for a while with 6.2 and 6.3. Today I'm working my first lab
box with 7.0-RELEASE. Set everything up with ezjail, e.g. ezjail-admin
create... Everything builds/installs fine, no barks. Sudo installed via make
install in /usr/ports/security/sudo on both parent and jail after a portsnap
update. The version of sudo works fine in the parent. In the jail however I
always get:
zincite# /usr/local/sbin/visudo
visudo: /usr/local/etc/sudoers busy, try again later
Sudoers is not busy. This is on a fresh jail that only I have access to,
doing a visudo right after the make install finishes.
My first thought was the jail dev/fs perms were somehow messed up but I can
write to /usr/local/etc. In fact I can vi /usr/local/etc/sudoers and write it
back out.
I've checked the sysctl flags. They are the same as on a working 6.x
parent(but I've included them here FWIW):
Root Dude ? sysctl -a|egrep jail
security.jail.jailed: 0
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
Rc.conf has:
ezjail_enable=YES
jail_list="zincite"
jail_zincite_rootdir=/usr/local/jails/zincite
jail_zincite_hostname=zincite.earlham.edu
jail_zincite_ip=159.28.83.137
jail_zincite_interface=bge0
#jail_zincite_fstab="/etc/zincite.fstab"
jail_zincite_mount_enable="YES"
jail_zincite_devfs_enable="YES"
Fstab is pretty standard:
Root Dude ? cat /etc/fstab.zincite
/usr/local/jails/basejail /usr/local/jails/zincite/basejail nullfs ro 0 0
The /usr/local/jails/zincite/etc/devfs.conf is non-tweaked
zincite# ls -l /dev
total 0
dr-xr-xr-x 2 root wheel 512 Jul 29 16:23 fd
lrwxr-xr-x 1 root wheel14 Jul 29 16:23 log -> ../var/run/log
crw-rw-rw- 1 root wheel0, 6 Jul 29 17:33 null
crw-rw-rw- 1 root wheel0, 121 Jul 29 17:26 ptyp0
crw-rw-rw- 1 root wheel0, 123 Jul 29 17:38 ptyp1
crw-rw-rw- 1 root wheel0, 10 Jul 29 12:23 random
lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stderr -> fd/2
lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdin -> fd/0
lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdout -> fd/1
crw-rw-rw- 1 root wheel0, 122 Jul 29 17:26 ttyp0
crw--w 1 rjtty 0, 124 Jul 29 17:38 ttyp1
lrwxr-xr-x 1 root wheel 6 Jul 29 16:23 urandom -> random
crw-rw-rw- 1 root wheel0, 7 Jul 29 16:23 zero
and /usr/local/etc/ezjail/zincite contains:
export jail_zincite_hostname="zincite"
export jail_zincite_ip="159.28.83.137"
export jail_zincite_rootdir="/usr/local/jails/zincite"
export jail_zincite_exec="/bin/sh /etc/rc"
export jail_zincite_mount_enable="YES"
export jail_zincite_devfs_enable="YES"
export jail_zincite_devfs_ruleset="devfsrules_jail"
export jail_zincite_procfs_enable="YES"
export jail_zincite_fdescfs_enable="YES"
export jail_zincite_image=""
export jail_zincite_imagetype=""
export jail_zincite_attachparams=""
export jail_zincite_attachblocking=""
export jail_zincite_forceblocking=""
I tried tracing visudo but that didn't give me much:
...
1293: open("/usr/local/etc/sudoers",O_RDWR|O_CREAT,0440) = 3 (0x3)
1293: fcntl(3,F_SETLK,0x7fffe390) ERR#22 'Invalid argument'
visudo: 1293: write(2,"visudo: ",8) = 8 (0x8)
/usr/local/etc/sudoers busy, try again later 1293:
write(2,"/usr/local/etc/sudoers busy, try"...,44) = 44 (0x2c)
1293: write(2,"\n",1) = 1 (0x1)
1293: process exit, rval = 1
I noted the invalid argument, thought busted port, but same thing works great
on the parent.
I'm running out of places to poke.
--
Randy([EMAIL PROTECTED]) 765.983.1283 <*>
Love with your heart, think with your head; not the other way around.
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail delivery failed: returning message to sender
On Tue, 29 Jul 2008, Boris Samorodov spaketh thusly: -}Sorry freebsd-jail-list reader, -} -} -}this message is for Randy Schultz. -} -}Dear Randy, just FYI, but your mail server is blocking messages... Taking this off-line. Tnx Boris. -} -} -}On Tue, 29 Jul 2008 22:58:22 +0400 Mail Delivery System wrote: -} -}> This message was created automatically by mail delivery software. -} -}> A message that you sent could not be delivered to one or more of its -}> recipients. This is a permanent error. The following address(es) failed: -} -}> [EMAIL PROTECTED] -}> SMTP error from remote mail server after end of data: -}> host diakatra.earlham.edu [159.28.1.37]: 554 Service unavailable; Client host [services.ipt.ru] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=85.173.16.156 -} -}> -- This is a copy of the message, including all the headers. -- -} -}> Return-path: <[EMAIL PROTECTED]> -}> Received: from [85.173.16.156] (helo=localhost.my.domain) -}> by services.ipt.ru with esmtpa (Exim 4.54 (FreeBSD)) -}> id 1KNuOp-000Ily-Mp; Tue, 29 Jul 2008 22:58:19 +0400 -}> To: Randy Schultz <[EMAIL PROTECTED]> -}> Cc: freebsd-jail@freebsd.org -}> Subject: Re: visudo non-functional in 7.0-RELEASE jail -}> References: <[EMAIL PROTECTED]> -}> From: Boris Samorodov <[EMAIL PROTECTED]> -}> Date: Tue, 29 Jul 2008 22:57:10 +0400 -}> In-Reply-To: <[EMAIL PROTECTED]> (Randy Schultz's message of "Tue\, 29 Jul 2008 14\:20\:34 -0400 \(EDT\)") -}> Message-ID: <[EMAIL PROTECTED]> -}> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) -}> MIME-Version: 1.0 -}> Content-Type: text/plain; charset=us-ascii -} -}> On Tue, 29 Jul 2008 14:20:34 -0400 (EDT) Randy Schultz wrote: -} -}[...] -} -}WBR -}-- -}bsam -}___ [EMAIL PROTECTED] mailing list -}http://lists.freebsd.org/mailman/listinfo/freebsd-jail -}To unsubscribe, send any mail to "[EMAIL PROTECTED]" -} -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: visudo non-functional in 7.0-RELEASE jail
On Wed, 30 Jul 2008, Edwin Groothuis spaketh thusly: -}Since lock_file() consists of three different functions depending -}on your capabilities, could you pastebin the output of your config.log -}somwwhere to figure out which was is used? http://www.pastebin.be/13079 -} -}I have visudo (and sudo) here working without any problems, inside -}and outside jails. For fbsd 7.0? I have it for 6.x. If yours is 7.0 then I must have missed something. Did you set your jails up the long way or with ezjail? -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
request for (security) comments on this setup
Heya, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. This is fbsd 7.1-prerelease, the jail's name is spectro. On the parent: Root Dude ? df -h|egrep data /dev/da0s1d 1.3T2.9G1.2T 0% /usr/local/jails/spectro/data Root Dude ? cat /etc/fstab.spectro /usr/local/jails/basejail /usr/local/jails/spectro/basejail nullfs ro 0 0 /dev/da0s1d /usr/local/jails/spectro/data ufs rw 1 1 in the jail: Dude ? df -h FilesystemSizeUsed Avail Capacity Mounted on /dev/mirror/gm0s1e178G 43G121G26%/ Root Dude ? dmesg|egrep da0 da0 at iscsi0 bus 0 target 0 lun 0 da0: Fixed Direct Ac Root Dude ? cd /data Root Dude ? ls -l total 5830386 drwxrwxr-x 2 root operator 512 Sep 19 17:52 .snap -rw-r- 1 root wheel 5967380480 Sep 22 09:44 all.5 Root Dude ? touch test Root Dude ? ls -l total 5836930 drwxrwxr-x 2 root operator 512 Sep 19 17:52 .snap -rw-r- 1 root wheel 5974065152 Sep 22 09:45 all.5 -rw-r--r-- 1 root wheel 0 Sep 22 09:44 test Root Dude ? iostat 1 tty ad4 ad6 da0 cpu tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 05 33.42 4 0.12 33.43 4 0.12 62.62 2 0.11 0 0 0 0 100 0 232 64.00 6 0.37 64.00 4 0.25 58.95 19 1.09 0 0 0 0 100 0 78 60.57 14 0.83 61.00 16 0.95 53.09 22 1.14 0 0 0 0 100 ^C So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: request for (security) comments on this setup
On Mon, 22 Sep 2008, Bjoern A. Zeeb spaketh thusly: -}On Mon, 22 Sep 2008, Randy Schultz wrote: -} -}Hi, -} -}> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via -}> fstab.. When the jail is up and I'm logged into the jail I can cd -}> to the mount point, r/w etc., everything seems to work. What's weird tho' -}> is, -}> while a df on the parent shows the partion mounted as expected, a df inside -}> the jail shows the local disk but not the iSCSI mount. -}> ... -}> So, my first question is what am I missing, the second is does mounting -}> things -}> this way into a jail pose any sort of risk for escaping the jail? -} -}Does anything change if you do a -} sysctl security.jail.enforce_statfs=1 Arg. I never thought to check for a sysctl option. Indeed it does. Tnx much for the poke. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
