search for: jailed

Hello, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension! But I have one problem: If I want to stop a jail with 'jaill -r jailname', I get "umount: unmount of /.jail.jailname failed: Device busy" It seems to me that the order of fstab.jailname entries are not reverted by jail(8) when shutting down/umounting. My C skills

Hi *, I recently triggered an error when setting up a jail-host: I configured the jail(s) like evry jail I set up in the past: On the jail-hosts /etc/rc.conf: # ---- Jail-Globals ---- jail_enable="YES" # Set to NO to disable starting of any jails jail_list="ftp mx1 relay" # Space separated list of names of jails

Hi, Running: Freebsd 6.0 I am wondering if it is possible to have acces to loopback ip in a jail. I currently have a server running a jail. In the jail, there is a database and a web server. I would like to be able to have the database only bind on a loopback address and not on the jail's ip. Can this be done and how? Thanks -Cyril

I'm thinking of using jails to improve security on a server I am setting up. Specifically, I would like to put Apache/PHP in a jail, but I might like to set up 2-3 different jails for different purposes. I've found several examples showing how to set the jails up. My questions involve system requirements. Assuming plenty of disk space, 1GB ram and a dual processor PIII 1.13Ghz

> I recently did something like this. I have a webserver in a jail that > needs to talk to a database, and the webserver is the only thing that > should talk to the databse. > My solution was to use 2 jails: one for the webserver, and another for the > database. > Jail 1: > * runs webserver > * binds to real interface with real, routable IP > Jail 2: > *

I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. Can someone confirm if this bugg/exploit works?

...quot;symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to...

...quot;symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to...

...quot;symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to...

...nd am configuring ipfilter. Here are my questions: Because I'm using Jails, I will have to have multiple ip aliases on the network interface. I will use ipfilter to specify what can go to each of the addresses. (e.g., allow only incoming to port 80 on the jail running apache). Another jailed server will run mail services (pop, smtp, imap). If I want to allow users to use web based email(over ssl of course), the web server will have to communicate with the mail server. Is there a chance of "information leakage" in this type of setup? Finally, I'd like to use SSL t...

...quot;symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to...

...but can be enabled by setting this MIB entry to 1. Reading this it sounds like setting jail.sysvipc_allowed=1 is a bad idea? So I guess my question is, whether it is a big security risk to run postgresql in a jail? And what if I am running postgresql in both the host environment and the jailed environment? Will I bee asking for troubles? I managed to get things running, and so far I haven't had problems, but I was wondering if it is safe to run postgresql + jail. I have seen an ISP offering freebsd jails, and they have a list regarding downsides of running jail (such as you can't...

Hello, while playing with new jail features, I recognized that manually umounting doesn't work as I'd expect. After jail has been destroyed, the following mountpoint is active: /dev/gpt/jailname1ROOT on /.jail.jailname1 (ufs, local, read-only) There was var mounted to /.jail.jailname1/var but that sucessfully umounted. 'fstat' also shows no open files in /.jail.jailname1 But

Hi, i've got this problem with my jail and i'm abolutly lost as in the why of it. I previously posted this on comp.unix.bsd.freebsd.misc but i was advised to send here I was unable to find help on google :( To resume quick, when i'm in a jail, netstat doesn't work properly. Hopefully i have provided sufficient information for anyone willing to help me :p First of all, my system :

Hi, i've set the outside ip for the jail..It works.. When i try to ssh to jail'ed system from the main system (in which is created jail) the connection is successful, but when i try to connect to jailed system from anywhere else i get this message: ssh: connect to host IP_NUMBER port 22: Operation timed out What can be wrong here? How to solve this problem?

Hi, I attach 2 files in this email, the first is a Makefile and the second is jail.conf. For demonstre my idea i resolved create one "Pseudo Prototyping", for test is necessary: 1 - Create dir /usr/local/basejail 2 - Copy Makefile to /usr/local/basejail 3 - Copy jail.conf to /etc 4 - The initial basejail is precompiled is distributed in CD1, for simular basejail is necessary a

On 2019-11-13 09:30, Andrew Bartlett wrote: > Regarding your problem, on linux I use lslocks to debug from here, you > can normally work out which process is holding the lock, which lock it > is waiting on (if any, marked with a *) and gdb that to work out what > is the matter with it, and perhaps why it is in that situation. Hmm... I have no lslocks on FreeBSD; will lsof do? In

Hello, I would like to run other services like messaging services on my firewall machine too. Does it make sense to run shorewall, openvpn and the pppoe package in a chroot jail? And is it possible to run these programs as an other user? Ciao Hugo

Hi all, Is it mandatory to add device mem to jails to enable network via the gateway? Left ezjail with FreeBSD-6.3 (and a hardware replacement of my server) and am now starting again with FreeBSD-7.1. Early this week, I upgraded from 7.0 to 7.1 (not having 'used' jails on 7.0). After creating the jail with `ezjail-admin update -i` I created a 'ports build' jail `ezjail-admin

This message was sent to bugtraq today: While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is enabled in the kernel and a BPF device is available in the jail (badly configured devfs/no rules) The...