jails, cron and sendmail
Fabian Keil
freebsd-listen at fabiankeil.de
Mon Aug 28 14:23:46 UTC 2006
Mike Meyer <mwm at mired.org> wrote:
> In <20060828150039.21e8bd4a at localhost>, Fabian Keil <freebsd-listen at fabiankeil.de> typed:
> > Mike Meyer <mwm-keyword-freebsdhackers2.e313df at mired.org> wrote:
> >
> > > In <44F1B7B7.9090701 at erdgeist.org>, Dirk Engling <erdgeist at erdgeist.org> typed:
> >
> > > > > The default configuration doesn't expose sendmail to the publicly
> > > > > visible IP addres. The daemon it runs only listens for connections to
> > > > > the localhost address.
> > > > Which is rewritten to the jails (externally visible) address on a connect()
> > > Yup. I wasn't aware of that strange behavior of jails. That should be
> > > fixed.
> > Fixed how? Disallow jailed applications to connect to 127.0.0.1,
> > and thus break most of them, or have them reach 127.0.0.1 on the
> > host system and weaken the security?
> >
> > > I think the better fix would be to make jails not expose their
> > > localhost IP address to the outside world.
> > Exactly.
I think I misunderstood what you where saying here, sorry.
I assumed you meant the user should run the jail on one of the addresses
in the 127.0.0.0/8 range, while you probably were suggesting jails should
have their own localhost IP address that is different from their outside
IP address?
> Ok, I'm confused. Exactly how is fixing jails to not expose their
> localhost IP address to the outside world not fixing this strange
> behavior of jails?
AFAICS jails currently have no localhost IP address they could expose.
They have one IP address that is always visible from the host system,
and conveniently jailed applications that try to bind to 127.0.0.1
get connected to the one jail IP address, instead of receiving
an error or getting through to the host system's localhost.
Fabian
--
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20060828/4a828754/signature.pgp
More information about the freebsd-hackers
mailing list