security bug or operator "misunderstanding", and a query

Alain Wolf wolf at k18.ch
Wed Aug 15 10:12:39 PDT 2007 

Randy Schultz wrote, On 2007-08-15 17:27:
> Hey all,
>
> I've been messing around with, and liking, jails.  I had a weird thing
> happen
> tho' that I cannot explain, and seems to violate the concept of jail.
>
> I have the AMD64 version of fbsd 6.2 set up, default install(plus a
> few minor
> ports like sudo).  The jail setup is AFAIK standard, e.g. rc.conf has:
>
>    jail_list="ntpjail"
>
>    jail_ntpjail_rootdir=/usr/local/jails/jail1
>    jail_ntpjail_hostname=ntpjail.earlham.edu
>    jail_ntpjail_ip=192.168.1.59
>    jail_ntpjail_interface=bge1
>    jail_ntpjail_devfs_enable="YES"
>
> The /dev dir is whatever is defined for jails in
> /etc/defaults/devfs.rules,
> and no tweaks are in sysctl.conf.
>
> When I have the parent/jail up and running, ntpd not running on the
> parent, if
> I kick off ntpd in the jail, it actually kicks off ntpd in the parent
> then
> barks with "address already in use".  Now, I understand the "address
> already
> in use" part, but how can starting something in the jail affect
> anything on
> the parent?  I thought the 2 were more separated than that.
>
> I'm trying to get to a setup where ntp on the parent sets the system
> time but
> doesn't answer any queries, and ntp in the jail answers the time
> queries.  If
> anybody has any thoughts on whether or not this is even possible(short of
> recoding part of ntp ;) or possible avenues of investigation, pls let
> me know.
>
> Tnx.
>
> -- 
>  Randy    (schulra at earlham.edu)      765.983.1283         <*>
>
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
Hi Randy
Usually it is the other way round.
The parent system uses up the jails IP address, you have to take steps
that it doesn't do that before starting anything in the jail.
For TCP/IP on the parent system, a jail IP address is just another IP
Interface/address to use. It does not know about jails.
AFAIK things are planned for FBSD 7 to have more independent IP
interfaces in jails.

Hope this helps.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20070815/764df7b6/signature.pgp

More information about the freebsd-jail mailing list