search for: allow_raw_sockets

Operating system virtualization is the most effective way to utilize your system resources, jails let you setup isolated mini-systems. Jails are explains well in handbook however, from practical standpoint of view, the presented material is incomplete. The post below setup few scrips that follow handbook's 'Application of Jails' article and enhance with few missing features

...Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so that programs various network debugging programs like ping and traceroute etc can be used. This patch will create the security.jail.allow_raw_sockets sysctl MIB. I would appriciate any feed-back from testers See PR #: http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 -------------------- SNIP SNIP ------------------------ --- sys/kern/kern_jail.c.bak Mon Apr 19 16:55:40 2004 +++ sys/kern/kern_jail.c Mon Apr 19 17:56:03 2004 @@ -53,6...

Bug or something, look at this <mother-mail>[~]# cat /etc/sysctl.conf security.jail.allow_raw_sockets=1 security.jail.set_hostname_allowed=0 <mother-mail>[~]# sysctl -a | grep jail security.jail.set_hostname_allowed: 1 <<<<< here security.jail.socket_unixiproute_only: 1 security.jail.sysvipc_allowed: 0 security.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 1 sec...

Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the

...03_1b.pagesize: 4096 p1003_1b.rtsig_max: 0 p1003_1b.sem_nsems_max: 0 p1003_1b.sem_value_max: 0 p1003_1b.sigqueue_max: 0 p1003_1b.timer_max: 0 security.jail.set_hostname_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.sysvipc_allowed: 0 security.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 0 security.jail.chflags_allowed: 0 security.jail.jailed: 0 security.bsd.suser_enabled: 1 security.bsd.see_other_uids: 1 security.bsd.see_other_gids: 1 security.bsd.conservative_signals: 1 security.bsd.unprivileged_proc_debug: 1 security.bsd.unprivileged_read_msgbuf: 1 security.bsd.hardlink_check_u...