https://bugs.dragonflybsd.org/https://bugs.dragonflybsd.org/favicon.ico?16293952082006-03-20T05:58:10ZDragonFlyBSD bugtrackerDragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3842006-03-20T05:58:10Zjoerg
<ul></ul><p>On Sun, Mar 19, 2006 at 10:16:29PM +0100, Michal Belczyk wrote:</p>
<blockquote>
<p>the attached patches make it a bit easier to setup jails (no fake /etc/fstab,<br />no additional network_interfaces="" in jails' /etc/rc.conf, etc) since some<br />services are not supposed to run inside jail.</p>
</blockquote>
<p>I never liked the nojail keyword. Anyway, I don't like the new sysctl<br />either, since it is redundant. Try "kill <del>0 1" :</del>)</p>
<p>Joerg</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3852006-03-20T06:50:40Zcorecode
<ul></ul><p><a class="email" href="mailto:joerg@britannica.bec.de">joerg@britannica.bec.de</a> wrote:</p>
<blockquote><blockquote>
<p>the attached patches make it a bit easier to setup jails (no fake /etc/fstab,<br />no additional network_interfaces="" in jails' /etc/rc.conf, etc) since some<br />services are not supposed to run inside jail.</p>
</blockquote>
<p>I never liked the nojail keyword. Anyway, I don't like the new sysctl<br />either, since it is redundant. Try "kill <del>0 1" :</del>)</p>
</blockquote>
<p>I actually quite like the patch. And having a sysctl telling explicitly <br />if running in a jail or not seems a very sane idea. What does FreeBSD do?</p>
<p>cheers<br /> simon</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3862006-03-20T07:36:20Zandreas.kohn
<ul></ul><p>Hi,</p>
<p>Exactly that sysctl exists on FreeBSD as well. And I also consider an<br />explicit sysctl way better than some non-obvious[*] method to figure out<br />the same.</p>
<p>Regards,<br />--<br />Andreas</p>
<p>[*] The man page of kill doesn't mention "0" as a way to check if a<br />process is jailed, and neither jail(2) nor jail(8) talk about it. And I<br />don't think a user new to jails imagines that trying and failing to send<br />a non-existing (cf. sys/signal.h, signal(3)) to init will tell him<br />whether he is jailed or not. But I may be overlooking something obvious,<br />of course :)</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3872006-03-20T07:56:10Zjoerg
<ul></ul><p>On Mon, Mar 20, 2006 at 12:29:47AM +0100, Andreas Kohn wrote:</p>
<blockquote>
<p>[*] The man page of kill doesn't mention "0" as a way to check if a<br />process is jailed, and neither jail(2) nor jail(8) talk about it.</p>
</blockquote>
<p>"0" is a valid signal and the standard check to see if a process exists.<br />Which process is known to run in the base system and can't exist in a<br />jail therefore?</p>
<p>Joerg</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3882006-03-20T08:19:40Zcorecode
<ul></ul><p>On 20.03.2006, at 00:29, Andreas Kohn wrote:</p>
<blockquote>
<p>[*] The man page of kill doesn't mention "0" as a way to check if a<br />process is jailed, and neither jail(2) nor jail(8) talk about it. And I<br />don't think a user new to jails imagines that trying and failing to <br />send<br />a non-existing (cf. sys/signal.h, signal(3)) to init will tell him<br />whether he is jailed or not. But I may be overlooking something <br />obvious,<br />of course :)</p>
</blockquote>
<p>you'll get a ESRCH if you're in a jail, i guess. or a EPERM? <br />whatever, the sysctl is the way to go, IMO.</p>
<p>cheers<br /> simon</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3892006-03-20T08:32:40Zandreas.kohn
<ul></ul><p>Moin,</p>
<p>To be fair, the man pages of FreeBSD's jail(8) utility or jail(2) also<br />do not mention the security.jail.jailed sysctl. [*]</p>
<p>I do however consider it way more obvious to check an explicit sysctl,<br />or try to find one by looking at the related controls, than using kill,<br />ps, or trying to bind a socket to 0.0.0.0 or whatever.</p>
<p>On Mon, 2006-03-20 at 00:51 +0100, <a class="email" href="mailto:joerg@britannica.bec.de">joerg@britannica.bec.de</a> wrote:</p>
<blockquote>
<p>"0" is a valid signal and the standard check to see if a process exists.<br />Which process is known to run in the base system and can't exist in a<br />jail therefore?</p>
</blockquote>
<p>On Mon, 2006-03-20 at 01:14 +0100, Simon 'corecode' Schubert wrote:</p>
<blockquote>
<p>you'll get a ESRCH if you're in a jail, i guess. or a EPERM?</p>
</blockquote>
<p>I guess. My argument was not that there are no other methods, but that a<br />sysctl is more obvious than those methods. Compare the commit message<br />when the sysctl was added to FreeBSD:</p>
<p>----<br />date: 2004/02/19 14:29:14; author: pjd; state: Exp; lines: +13 <del>0<br />Added sysctl security.jail.jailed.<br />It returns 1 is process is inside of jail and 0 if it is not.<br /><em>Information if we are in jail or not is not a secret, there is plenty<br />of ways to discover it. Many people are using own hack to check this</em><br />and this will be a legal way from now on. <br />---</del></p>
<p>Regards,<br />Andreas</p>
<p>[*] Which of course can be changed, thanks for the idea :)<br /> <a class="external" href="http://www.freebsd.org/cgi/query-pr.cgi?pr=94711">http://www.freebsd.org/cgi/query-pr.cgi?pr=94711</a></p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=3912006-03-20T18:17:10Zbelczyk
<ul></ul><p>On Sun, Mar 19, 2006 at 10:52:08PM +0100, <a class="email" href="mailto:joerg@britannica.bec.de">joerg@britannica.bec.de</a> wrote:</p>
<blockquote>
<p>On Sun, Mar 19, 2006 at 10:16:29PM +0100, Michal Belczyk wrote:</p>
<blockquote>
<p>the attached patches make it a bit easier to setup jails (no fake /etc/fstab,<br />no additional network_interfaces="" in jails' /etc/rc.conf, etc) since some<br />services are not supposed to run inside jail.</p>
</blockquote>
<p>I never liked the nojail keyword. Anyway, I don't like the new sysctl<br />either, since it is redundant. Try "kill <del>0 1" :</del>)</p>
</blockquote>
<p>OK, so suggest another keyword to use, change the check in /etc/rc and ignore<br />the kernel patch I sent. Where's the problem?</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=74012009-09-15T03:04:36Zalexh
<ul></ul><p>IMHO this should be commited (at least the sysctl). Any other opinion?</p>
<p>Cheers,<br />Alex Hornung</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=113482013-03-10T11:27:27Ztuxillo
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/11348/diff?detail_id=886">diff</a>)</li><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Assignee</strong> deleted (<del><i>0</i></del>)</li></ul><p>+1 for pushing sysctl patch.</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=113852013-03-12T12:56:09Zmarino
<ul></ul><p>This is related to the GSOC project idea I put forth. Apparently Enjolras is also looking at it, perhaps in the context of GSoC or even separately.</p> DragonFlyBSD - Bug #118: jails clean startuphttps://bugs.dragonflybsd.org/issues/118?journal_id=136902019-06-18T02:01:25Zliweitianuxliweitianux@live.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/13690/diff?detail_id=3254">diff</a>)</li><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul><p>I improved and pushed this patch to the master branch. Thank you.</p>