cvs commit: src/usr.sbin/jexec jexec.8 jexec.c

Oliver Fromme olli at fromme.com
Thu May 29 13:11:13 UTC 2008 

Pawel Jakub Dawidek wrote:
 > On Mon, May 26, 2008 at 11:57:49AM +0000, Michael Reifenberger wrote:
 > > mr          2008-05-26 11:57:49 UTC
 > > 
 > >   FreeBSD src repository
 > > 
 > >   Modified files:
 > >     usr.sbin/jexec       jexec.8 jexec.c 
 > >   Log:
 > >   Extend jexec to accept hostname or ip-number besides jail-id.
 > 
 > As many already suggested using IP numbers and hostnames can be tricky
 > (and risky).

I think that an admin who decides to use jexec with IP
numbers or hostnames should be expected to be aware that
there can be ambiguities, and that he should make sure
that his IP numbers and/or hostnames are unique.

Therefore I think that a warning in the manpage is more
than sufficient.

Personally I welcome Michael's patch very much.  Until now
I had to perform quite complex ps/jls/grep/awk gymnastics
in my jail maintenance scripts.  That's error-prone, ugly,
and it certainly leaves something to be desired.

Now with the above new jexec feature, those scripts can be
simplified greatly.  Of course I _do_ make sure that all
of my jails have unique hostnames.

However, I do share the concern that there's an ambiguity
in the syntax:  "127" can be a jail ID as well as an IP
number (same as 0.0.0.127) or a hostname.  Either the
syntax should be changed so the meaning of the argument
is clear, or the manpage should be updated to include a
warning and a clear description of the order in which the
argument is tried to match.

A simple way to resolve it would be to require at least
one dot for IP numbers, otherwise it is matched as a
jail ID.  In practice I've never seen people using single
numbers (without dots) for IP numbers.  In fact I've been
stared at with disbelief by coworkers many times when
using 127.1 as a shotcut for 127.0.0.1.

 > What do you think about using jail name from /etc/rc.conf?

Personally I don't set up my jails via the rc.d stuff (and
I suspect I'm not the only one), so that would only be of
limited usefulness, I'm afraid.

 > PS. I'm not against this functionality, but we should be much more
 >     careful, especially with hostnames when
 >     security.jail.set_hostname_allowed=1.

I agree.  If that sysctl is set to 1 (default!), matching
against the jails' hostnames should not be attempted.

Best regards
   Oliver

-- 
Oliver Fromme, Bunsenstr. 13, 81735 Muenchen, Germany

``We are all but compressed light'' (Albert Einstein)

More information about the cvs-all mailing list