Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever?

> From:owner-freebsd-hackers@freebsd.org <owner-freebsd-hackers@freebsd.org> on behalf of antranigv <antranigv@freebsd.am>

> The main problem that I am trying to solve is
> displaying the correct UID username.

Unfortunately, while the JID+UID is considered unique to the context of the process and the Jail it resides in, /bin/ps looks up the name associated with the UID based on the current JID ps is ran in. I would guess the intent behind this is that most organizations would map all users to the same UIDs so they would be universal. The result as you’ve identified is ps can be caught lieing to you if your UIDs are not synchronized between the users in a given system of host+jails. Given that each jail is a unique system with its own resources (including UID/GID mapping). So, I see two ways to solve this.

Synchronization of the UID/GID information via NIS, LDAP, or the likes, which would extend credential mapping beyond the local host, but had the unfortunate side effect of creating a larger footprint to secure the file system on your host. Local to the host, I would think this could be achieved with NULLFS RO mounts of a sub folder of /etc into the jails and some symlinks to the passwd, group, and etc.master files in the host’s /etc folder. One might also include nsswitch to guarantee the same source resolution happens both in the jails and at the host.

Either in combination or independent of the first option, I have wrapped /usr/bin/ps in the past to turn a ps call into a map reduce function where execution in the parent iterates over all the running jails (unless -J is provided which isolates the call to a single JID) and calls prepends ‘/usr/sbin/jail $JID’ to the original command (minus the -J and $JID args.)

NOTE: there are caveats to this approach, for example when there are jails within jails, and I’m not sure how the sysctl at ‘security.bsd.see_other_uids’ might affect output in a jail.

Good luck.