X11 and ezjails

Heikki Lindholm holindho at saunalahti.fi
Thu Apr 6 04:21:11 UTC 2017

On 05.04.2017 21:38, James B. Byrne via freebsd-questions wrote:
> On Wed, April 5, 2017 11:18, Ernie Luzar wrote:
>> This is the problem
>> E233: cannot open display
>> gvim will not work if run in a jail. gvim uses x11 and x11 needs
>> kernel access to talk to the x11 display. Jails are designed on
>> purpose to deny kernel access to secure the host system from
>> attack. This is why you can never get a desktop to run in a jail.
>> The other authentication error messages are bogus and can be
>> ignored as misleading.
>> This is also why gvin works when run on the host system.
>> The bottom line here is that what your trying to run in a jail will
>> NEVER work. Ezjail has no baring on this problem, its a design feature
>> of jsil(8).
> Thank you very much.  That saves me from much futile effort.
> Since all of the files used by a jail lie under /usr/jails/<name>/ I
> can just edit the appropriate files directly from the host instead.

I have no problems running X11 apps in jails. The X11 protocol is client 
/ server and clients can be running on separate machines from the 
server. The X11 connection can be forwarded through ssh. In my jail 
where an X11 app is running there are no xserver components installed 
(which would require kernel access) and if there were, they would not be 
used by the remote client that's run through ssh connection.

However, X11 is also insecure, so running an application from jail only 
prevents it from accessing your host filesystem. It can still act as a 
keylogger or capture screen content of other apps. Depending on one's 
requirements, this might not be what is sought by running stuff in jails.

More information about the freebsd-questions mailing list