From nobody Mon Aug 23 10:02:39 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B317A178E940 for ; Mon, 23 Aug 2021 10:02:50 +0000 (UTC) (envelope-from antranigv@freebsd.am) Received: from evncert.am (evncert.am [212.42.214.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GtSV12qk4z4dPM for ; Mon, 23 Aug 2021 10:02:49 +0000 (UTC) (envelope-from antranigv@freebsd.am) Received: from evncert.am (localhost [127.0.0.1]) by evncert.am (OpenSMTPD) with ESMTP id 04d79536 for ; Mon, 23 Aug 2021 14:13:37 +0400 (+04) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=freebsd.am; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; s=selector0; bh=6S95m0v/vKOy6BgYlrzgE43G4lo =; b=NhKWpZPJsLA/4o2SquPFT0LsPiLbCKD3vURgU2r7RL43WvQx2uKsFsj2gJY 58+xlvfDfP+KJXmPMqlwUcIw/Pm84BKvB4t2TEC/7vtwS06XyoV4Xpvx1nnEA7bp HghMxk2KS94BlT0w1/gW8Hh9+tHvJQdpmBONP+w+USOniB1M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=freebsd.am; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; q=dns; s=selector0; b=PyA6gZfxxRM1mEhWDudIW oXflJnnpGvd/9/Eq41uqONnPka8ic+yy56E5o0i0QZVMPDDSAR0+VoT3UfOsDiTE HbzdmfMVIUpFbL2Ok1StfwTm+Y47By74HtT5v6NnGaU5U+AmEMVZFug/Oj9j9/Kc RLGjIiLBDjuYNcxhOiYJys= Received: by post.evncert.am (OpenSMTPD) with ESMTPSA id ccd7a481 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 23 Aug 2021 14:13:37 +0400 (+04) From: antranigv Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Need advice: Better Jail integration into ps/top, setpwfile gone forever? Message-Id: <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am> Date: Mon, 23 Aug 2021 14:02:39 +0400 To: "freebsd-hackers@FreeBSD.org" X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4GtSV12qk4z4dPM X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none ("invalid DKIM record") header.d=freebsd.am header.s=selector0 header.b=NhKWpZPJ; dmarc=pass (policy=none) header.from=freebsd.am; spf=pass (mx1.freebsd.org: domain of antranigv@freebsd.am designates 212.42.214.164 as permitted sender) smtp.mailfrom=antranigv@freebsd.am X-Spamd-Result: default: False [-2.30 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_ALLOW(-0.20)[+mx]; DKIM_TRACE(0.00)[freebsd.am:~]; DMARC_POLICY_ALLOW(-0.50)[freebsd.am,none]; NEURAL_HAM_SHORT(-1.00)[-0.999]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_DKIM_PERMFAIL(0.00)[freebsd.am:s=selector0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:49800, ipnet:212.42.192.0/19, country:AM]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Greetings all, I am trying to have better integration of top(1) and ps(1) with FreeBSD = Jails. The main problem that I am trying to solve is displaying the correct UID = username. Here's an example. I have a host (srv0), it is running a Jail named "fsoc", The Jail "fsoc" = has a user named "romero" with the UID 1001. If I run `ps auxd` in the Jail, I get the following, romero@fsoc:~ $ ps auxd USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 4377 0.0 0.0 11376 956 - SsJ 14:15 0:00.38 = /usr/sbin/syslogd -ss root 5758 0.0 0.1 13128 1352 1 IJ 18:24 0:00.02 /bin/tcsh -i root 5763 0.0 0.0 12048 960 1 IJ 18:24 0:00.01 - su - romero romero 5764 0.0 0.1 12120 2268 1 SJ 18:24 0:00.02 `-- -su (sh) romero 9625 0.0 0.1 11684 2576 1 R+J 09:41 0:00.01 `-- ps auxd Good! However, if I try to run it on the host, here's what I get, root@srv0:~ # ps auxd -J fsoc USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 4377 0.0 0.0 11376 956 - SsJ 14:15 0:00.38 = /usr/sbin/syslogd -ss root 5758 0.0 0.1 13128 1352 1 IJ 18:24 0:00.02 /bin/tcsh -i root 5763 0.0 0.0 12048 960 1 IJ 18:24 0:00.01 - su - romero 1001 5764 0.0 0.1 12124 2436 1 I+J 18:24 0:00.02 `-- -su (sh) As you can see, in the User field it says 1001, because the host does = not have a user with that UID. This seems fine, but it becomes an issue when you have multiple Jail and = a large host running. Here's an example if the host had a user with UID 1001, root@pingvinashen:~ # ps auxd -J oragir USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 949 0.0 0.0 11344 2584 - IsJ Mon19 0:01.13 = /usr/sbin/cron -s root 1962 0.0 0.0 11428 2796 - SsJ Mon19 0:01.83 = /usr/sbin/syslogd -ss antranigv 95342 0.0 0.0 11004 2424 - IsJ Mon19 0:00.48 daemon: = /usr/home/oragir/writefreely/writefreely[9992] (daemon) antranigv 9992 0.0 0.4 767244 58336 - IJ Mon19 2:58.87 - = /usr/home/oragir/writefreely/writefreely Now, you would think that this is good, however, if you run this in the = jail, root@oragir:~ # ps auxd USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 949 0.0 0.0 11344 2584 - SsJ Mon15 0:01.13 = /usr/sbin/cron -s root 1962 0.0 0.0 11428 2796 - SsJ Mon15 0:01.83 = /usr/sbin/syslogd -ss oragir 95342 0.0 0.0 11004 2424 - IsJ Mon15 0:00.48 daemon: = /usr/home/oragir/writefreely/writefreely[9992] (daemon) oragir 9992 0.0 0.4 767244 58336 - IJ Mon15 2:58.88 - = /usr/home/oragir/writefreely/writefreely root 88228 0.0 0.0 13336 4004 8 SJ 09:45 0:00.01 /bin/csh = -i root 99502 0.0 0.0 11824 3140 8 R+J 09:45 0:00.00 - ps auxd As you can see, the UID 1001 was not `antranigv`, instead it was = `oragir`. This has been an issue for me, so I tried writing some code to implement = the following. If the process is in a Jail, then change the passwd db from /etc to = /path/of/the/jail/etc. I thought it would be an easy thing to do, but not so much. Here's what I've tried. 1) Call jail_attach and run ps inside the Jail. Oh yeah, it's a jail! = after attaching to it there is no way to deattach :-) silly me! 2) Change the passwd file for getpwuid/getpwnam. I wanted to use = setpwfile(3) but turns out that \ COMPATIBILITY The historic function setpwfile(3), which allowed the specification = of alternate password databases, has been deprecated and is no longer available. Okay, So I look into how other tools like pwd_mkdb is written and I see = that everything is defined (pun intended) the following way, in /usr/include/pwd.h #define _PATH_PWD "/etc" #define _PATH_PASSWD "/etc/passwd" #define _PASSWD "passwd" #define _PATH_MASTERPASSWD "/etc/master.passwd" #define _MASTERPASSWD "master.passwd" #define _PATH_MP_DB "/etc/pwd.db" #define _MP_DB "pwd.db" #define _PATH_SMP_DB "/etc/spwd.db" #define _SMP_DB "spwd.db" #define _PATH_PWD_MKDB "/usr/sbin/pwd_mkdb" and pwd_mkdb does the following ... strcpy(prefix, _PATH_PWD); ... case 'd': dflag++; strlcpy(prefix, optarg, sizeof(prefix)); break; ... Tuns out it parses the DB file, but I don't want to do that in ps/top! = :-) 3) Just for fun, I played with chroot. I tried the following code. # cat getpw.c=20 #define MAXHOSTNAMELEN 255 #define MAXPATHLEN 255 #include //#include #include #include #include #include #include #include int main(){ // Just get root! struct passwd *pwd; printf("just root: %s\n", (getpwuid(0))->pw_name); // let's try with undef/define #undef _PATH_PWD =20 #undef _PATH_PASSWD =20 #undef _PASSWD =20 #undef _PATH_MASTERPASSWD #undef _MASTERPASSWD =20 #undef _PATH_MP_DB =20 #undef _MP_DB =20 #undef _PATH_SMP_DB =20 #undef _SMP_DB =20 #define _PATH_PWD "/zdata/jails/fsoc/etc" #define _PATH_PASSWD "/zdata/jails/fsoc/etc/passwd" #define _PASSWD "passwd" #define _PATH_MASTERPASSWD "/zdata/jails/fsoc/etc/master.passwd" #define _MASTERPASSWD "master.passwd" #define _PATH_MP_DB "/zdata/jails/fsoc/etc/pwd.db" #define _MP_DB "pwd.db" #define _PATH_SMP_DB "/zdata/jails/fsoc/etc/spwd.db" #define _SMP_DB "spwd.db" pwd =3D getpwuid(1001); if (pwd =3D=3D NULL) { printf("using undef/define: no user found\n"); } else { printf("using undef/define: %s\n", pwd->pw_name); } // let's try with chroot! chroot("/zdata/jails/fsoc"); pwd =3D getpwuid(1001); if (pwd =3D=3D NULL) { printf("after chroot: no user found\n"); } else { printf("after chroot: %s\n", pwd->pw_name); } // escape back the chroot ;-) chroot("../../../../"); pwd =3D getpwuid(1001); if (pwd =3D=3D NULL) { printf("after unchroot: no user found\n"); } else { printf("after chroot: %s\n", pwd->pw_name); } return 42; } And I get the following: # ./getpw=20 just root: root using undef/define: no user found after chroot: romero after unchroot: no user found So, any advice? should I do chroot in ps? (no I don't think that's a = good idea), should I add a new call that implements setpwfile(3)? But I = really want to know why it was removed, I'm sure there's a story there. = Or is there a better way? Kind regards, have a nice day! -- antranigv https://antranigv.am/