cvs commit: src/usr.sbin/jexec jexec.8 jexec.c

Bjoern A. Zeeb bz at FreeBSD.org
Thu May 29 13:30:08 UTC 2008 

On Thu, 29 May 2008, Oliver Fromme wrote:

>
> Pawel Jakub Dawidek wrote:
> > On Mon, May 26, 2008 at 11:57:49AM +0000, Michael Reifenberger wrote:
> > > mr          2008-05-26 11:57:49 UTC
> > >
> > >   FreeBSD src repository
> > >
> > >   Modified files:
> > >     usr.sbin/jexec       jexec.8 jexec.c
> > >   Log:
> > >   Extend jexec to accept hostname or ip-number besides jail-id.
> >
> > As many already suggested using IP numbers and hostnames can be tricky
> > (and risky).
>
> I think that an admin who decides to use jexec with IP
> numbers or hostnames should be expected to be aware that
> there can be ambiguities, and that he should make sure
> that his IP numbers and/or hostnames are unique.

I think that's a bad policy but ...

As it already fetched the entire data from the kernel, it would be
easy to walk the list to the end and barf on duplicates.


> Now with the above new jexec feature, those scripts can be
> simplified greatly.  Of course I _do_ make sure that all
> of my jails have unique hostnames.

lucky you your jail goes away immediately when you stop it and the TCP
socket has to be teared down, still and you restarted it and end up in
the 'dead' one.

> However, I do share the concern that there's an ambiguity
> in the syntax:  "127" can be a jail ID as well as an IP
> number (same as 0.0.0.127) or a hostname.  Either the

actually 127.0.0.0

> syntax should be changed so the meaning of the argument
> is clear, or the manpage should be updated to include a
> warning and a clear description of the order in which the
> argument is tried to match.
>
> A simple way to resolve it would be to require at least
> one dot for IP numbers, otherwise it is matched as a
> jail ID.  In practice I've never seen people using single
> numbers (without dots) for IP numbers.  In fact I've been
> stared at with disbelief by coworkers many times when
> using 127.1 as a shotcut for 127.0.0.1.

Yes. because that is 127.1.0.0 and not 127.0.0.1.


> > What do you think about using jail name from /etc/rc.conf?
>
> Personally I don't set up my jails via the rc.d stuff (and
> I suspect I'm not the only one), so that would only be of
> limited usefulness, I'm afraid.

sorry we don't support private stuff.


> > PS. I'm not against this functionality, but we should be much more
> >     careful, especially with hostnames when
> >     security.jail.set_hostname_allowed=1.
>
> I agree.  If that sysctl is set to 1 (default!), matching
> against the jails' hostnames should not be attempted.


Anyway people have been discussing this more than it is worth.
The bugs in the code are still not fixed.
As Christian has pointed out we will have a 'jail name' soon.

Either this all will be fixed very soon or I'll miss it with my next
integrate...

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

More information about the cvs-all mailing list