bind() on 127.0.0.1 in jail: bound to the outside address?

[Devon H. O'Dell]

On Mon, 2005-02-28 at 16:48 +0000, Jan Grant wrote:
> On Tue, 1 Mar 2005, Xin LI wrote:
> 
> > Your ideas are highly appreciated!
> 
> It's not minimal, but assuming that it's desirable that processes 
> listening on loopback sockets shouldn't collide outside the jail, one 
> approach might be as follows:
> 
> - get jails to the point where they can manage more than one IP address 
>   per jail;
> - a jail config will then include an alias on the loopback address 
>   (127.0.0.2, ...)
> 
> unfortunately like all jail extensions this has other problems - for 
> instance, the close association of a jail to "its IP address" is broken 
> by this.

While this might be a known issue, I really think this should be seen as
a bug, and it's a security issue as well IMO.

I know Samy Bahra has some (experimental) work[1] with giving jails a
different unique identifier and conglomerating jails. This work on its
own might give something useful for implementing something to solve this
issue.

I can certainly understand the security issues with jails using loopback
sockets. Certainly very many daemon processes make use of them for
various reasons (client / server communication in databases, etc) and
presenting them to an outside address is simply broken. Binding to a
local address that turns out to not be local can be a big hazard for
several control daemons that I can think of off the top of my head. It's
also not always possible to replace these with UDS solutions; some
things I can think of are closed source.

I'm sorry to bring up an old issue, but what are the current reasons /
issues with the PJD MIP jail patches that it is not committable?

Kind regards,

Devon H. O'Dell

[1] http://samy.kerneled.org/wordpress/index.php?p=7