freebsd stable - Dec 2006 - /etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error in jails /etc/rc?

Hi *,

I recently triggered an error when setting up a jail-host: I configured
the jail(s) like evry jail I set up in the past:

On the jail-hosts /etc/rc.conf:

# ---- Jail-Globals ----
jail_enable="YES"                       # Set to NO to disable
starting of any jails
jail_list="ftp mx1 relay"               # Space separated list of
names of jails
jail_set_hostname_allow="NO"            # Allow root user in a jail to
change its hostname
jail_socket_unixiproute_only="YES"      # Route only TCP/IP within a
jail
jail_sysvipc_allow="NO"                 # allow SystemV IPC use from
within a jail


# ---- Jail-Defaults ----
jail_interface="fxp0"
jail_devfs_enable="YES"                 # mount devfs in the jail
jail_fdescfs_enable="YES"               # mount fdescfs in the jail
jail_procfs_enable="YES"                # mount procfs in jail
jail_mount_enable="NO"                  # mount/umount jail's fs



[...]
# ---- ftp
jail_ftp_rootdir="/data/jails/ftp.XXX.YYY.com"
jail_ftp_ip="62.xxx.yyy.133"
jail_ftp_hostname="ftp.XXX.YYY.com"


This works well on other systems.  Starting the ftp-Jail using
/etc/rc.d/jail start ftp the system went "offline", ifconfig showed
this:

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 62.xxx.yyy.133 netmask 0xffffffff broadcast 62.xxx.yyy.133
        ether 00:06:5b:04:54:69
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

Bad thing. The primary IP of the Host and any other IPs on fxp0 got
lost, just the jails IP/32 (alias) was left. 

On normal state ifconfig looks like this with some jails running:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 62.xxx.yyy.150 netmask 0xffffff00 broadcast 62.xxx.yyy.255
        inet 62.xxx.yyy.133 netmask 0xffffffff broadcast 62.xxx.yyy.133
        inet 62.xxx.yyy.131 netmask 0xffffffff broadcast 62.xxx.yyy.131
        inet 62.xxx.yyy.132 netmask 0xffffffff broadcast 62.xxx.yyy.132
        ether 00:06:5b:04:54:69
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active


It turned out, that a syntax error in the jails /etc/rc.conf (missing
quote) break the jai-Host?!?  Can anyone confirm this? 

If a jails rc.conf can break a jail host like this, this might be a
serious problem for systems with "untrusted" ~root in the jails and
should be fixed in 6.2.

Regards
Raphael Becker

PS: System ist 6.2-RC1
# $FreeBSD: src/etc/rc.d/jail,v 1.23.2.7 2006/06/06 15:04:39 flz Exp $

Raphael H. Becker wrote:
> Hi *,
> 
> I recently triggered an error when setting up a jail-host: I configured
> the jail(s) like evry jail I set up in the past:
Yes, this is a bug in rc.d/jail and was introduced in this change:
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=1.31&r2=1.32.

When a jail fails to start, in your case a broken rc.conf in the jail,
the jail is stopped and the ipaddr-alias is unconfigured from the
interface with the following command: ifconfig ${jail_interface} -alias
${jail_ip}

Unfortunately in the change above the variables were renamed to
_interface and _ip, this leads to ifconfig getting executed without a
specified ipaddr. and therefore the first alias is unconfigured, which
is in most cases the ipaddr. you are having access to the remote host.

${jail_interface} is only the correct interface out of luck, so it
should be changed to _interface too.

I think the correct way would be to call jail_stop() instead of doing
the cleanup by hand but in the current implementation this would leave
the ipaddr-alias configured on the interface.

I think I already mentioned once that I don't like this interface and
ipaddr. configuration feature in rc.d/jail at all.

Anyway, the quick fix is trivial and should be included in 6.2.
Otherwise we have a possible DoS security problem with the new release.

--- rc.d/jail.old       Fri Dec 22 03:09:27 2006
+++ rc.d/jail   Fri Dec 22 03:10:07 2006
@@ -228,8 +228,8 @@
                                echo ${_jail_id} > /var/run/jail_${_jail}.id
                        else
                                jail_umount_fs
-                               if [ -n "${jail_interface}" ]; then
-                                       ifconfig ${jail_interface}
-alias ${jail_ip}
+                               if [ -n "${_interface}" ]; then
+                                       ifconfig ${_interface} -alias ${_ip}
                                fi
                                echo " cannot start jail
\"${_jail}\": "
                                tail +2 ${_tmp_jail}

greetings,
philipp

Hi Philipp,

On Fri, Dec 22, 2006 at 03:35:37AM +0100, Philipp Wuensche
wrote:
> Raphael H. Becker wrote:
> > Hi *,
> > 
> > I recently triggered an error when setting up a jail-host: I
configured
> > the jail(s) like evry jail I set up in the past:
> --- rc.d/jail.old       Fri Dec 22 03:09:27 2006
> +++ rc.d/jail   Fri Dec 22 03:10:07 2006
> @@ -228,8 +228,8 @@
K?mmerst Du dich darum, dass der Patch reinkommt oder soll ich mich
direkt an Florent (letzter Committer) wenden?

Oder ist der Patch schon unterwegs? 

Ich verfolge eigentlich recht l?ckenlos cvs-all (bzw cvs-src und
cvs-ports) und da w?re es mir aufgefallen, wenn sich da was getan h?tte.
In RC2 scheint es noch nicht drin zu sein.

Besten Dank!

Gru?
Raphael

On Mon, Dec 25, 2006 at 01:35:18AM +0100, Raphael H. Becker
wrote:
> Hi Philipp,
Sorry, this mail should have been sent directly to him.

Regards
Raphael Becker