netstat/ipcs inside jail

Tom Dymond - Ipnoz tom at ipnoz.com
Wed May 21 08:58:35 PDT 2003 

Hi, i've got this problem with my jail and i'm abolutly lost as in the why
of it.
I previously posted this on comp.unix.bsd.freebsd.misc but i was advised to
send here

I was unable to find help on google :(
To resume quick, when i'm in a jail, netstat doesn't work properly.
Hopefully i have provided sufficient information for anyone willing to help
me :p

First of all, my system :

FreeBSD cube.kmem.org 4.8-STABLE FreeBSD 4.8-STABLE #6: Tue May 20 22:22:47
CEST 2003     root at cube.kmem.org:/usr/obj/usr/src/sys/ruby2  i386

System was updated, mergemaster done, kernel in sync with world.

The interfaces par of my rc.conf from the host :

ifconfig_rl1="inet 10.0.2.1  netmask 255.255.255.0"
ifconfig_rl1_alias0="inet 10.0.2.6 netmask 0xffffffff"
route_0="10.0.2.6 -iface lo0"
inetd_flags="-wW -a 10.0.2.1"
portmap_enable="NO"
---

- my sysctls for the jail are set as follows and are loaded by
/etc/sysctl.conf
> sysctl -a | grep jail
jail.set_hostname_allowed: 0
jail.socket_unixiproute_only: 0
jail.sysvipc_allowed: 1

- my kernel is compiled with these options
> grep SYSV ruby2
options         SYSVSHM                 #SYSV-style shared memory
options         SYSVMSG                 #SYSV-style message queues
options         SYSVSEM                 #SYSV-style semaphores

- df looks like this :

> df
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/ar0s1a    128990    47838    70834    40%    /
/dev/ar0s1f   1032142       16   949556     0%    /tmp
/dev/ar0s1g  74232392 36708258 31585544    54%    /usr
/dev/ar0s1e   1032142    22036   927536     2%    /var
procfs              4        4        0   100%    /proc
procfs              4        4        0   100%
/usr/home/jail/10.0.2.6/proc


- jail is loaded by /usr/local/etc/rc.d by these 2 commands :
mount -t procfs proc /usr/home/jail/10.0.2.6/proc
jail /usr/home/jail/10.0.2.6 jail.kmem.org 10.0.2.6 /bin/sh /etc/rc

- when i'm out of jail and i do this :
> ipcs -a

i get this :

Message Queues:
T     ID     KEY        MODE       OWNER    GROUP  CREATOR   CGROUP CBYTES
QNUM QBYTES LSPID LRPID   STIME    RTIME    CTIME

Shared Memory:
T     ID     KEY        MODE       OWNER    GROUP  CREATOR   CGROUP NATTCH
SEGSZ  CPID  LPID   ATIME    DTIME    CTIME
m 6946816          0 --rw-------      tom      tom      tom      tom      2
196608   3414   3380 9:59:36 10:50:07  9:59:36

Semaphores:
T     ID     KEY        MODE       OWNER    GROUP  CREATOR   CGROUP NSEMS
OTIME    CTIME


however, if i'm in the jail and i do the same command, i get this :

ipcs: short read
SVID messages facility not configured in the system
ipcs: short read
SVID shared memory facility not configured in the system
ipcs: short read
SVID semaphores facility not configured in the system

if I launch a netstat inside a jail, I get a unlimited amount of lines that
look like this, until I ^C
netstat: short read
netstat: short read
netstat: short read
...

The rc.conf of the jail :
hostname="jail.kmem.org"
portmap_enable="NO"
network_interfaces=""
sshd_enable="YES"
sendmail_enable="NO"
inetd_flags="-wW -a 10.0.2.6"


- this is what ifconfig looks like OUT of jail :

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1
        ether 00:50:8d:47:e5:67
        media: Ethernet autoselect (10baseT/UTP)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255
        inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2
        inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6
        ether 00:50:fc:47:84:38
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
vlan0: flags=0<> mtu 1500
        ether 00:00:00:00:00:00
        vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet 81.50.114.213 --> 81.50.114.1 netmask 0xffffff00
        Opened by PID 68
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa
        inet 10.0.2.1 --> 10.0.3.1 netmask 0xff000000
        Opened by PID 258
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.0.2.1 --> 192.168.1.1 netmask 0xff000000
        inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb
        Opened by PID 3290


- this is what ifconfig looks like IN the jail :

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::250:8dff:fe47:e567%rl0 prefixlen 64 scopeid 0x1
        ether 00:50:8d:47:e5:67
        media: Ethernet autoselect (10baseT/UTP)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::250:fcff:fe47:8438%rl1 prefixlen 64 scopeid 0x2
        inet 10.0.2.6 netmask 0xffffffff broadcast 10.0.2.6
        ether 00:50:fc:47:84:38
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
vlan0: flags=0<> mtu 1500
        ether 00:00:00:00:00:00
        vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        Opened by PID 68
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::250:8dff:fe47:e567%tun2 prefixlen 64 scopeid 0xa
        Opened by PID 258
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::250:8dff:fe47:e567%tun1 prefixlen 64 scopeid 0xb
        Opened by PID 3290


-->

when i built the jail, i cvsupped the stable branch, then i followed the
prodedure described in man jail.
i then rebuilt my kernel
maybe i'm missing a device in the jail, maybe i have a route problem. maybe
it's the absence of the loopback ..
i'm not sure what to look for really.
i rebuilt the world on the host with exactly the same sources as the jail,
all is sync.

-->

With putty's logging feature i managed to grab this :

netstat

Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     52  jail.ssh               ALyon-209-2-1-2..2484
ESTABLISHED
tcp4       0      0  jail.smtp              *.*                    LISTEN
tcp4       0      0  jail.ssh               *.*                    LISTEN
tcp4       0      0  jail.telnet            *.*                    LISTEN
tcp4       0      0  jail.domain            *.*                    LISTEN
udp4       0      0  jail.syslog            *.*
udp4       0      0  jail.ntp               *.*
udp4       0      0  jail.domain            *.*
netstat: short read
netstat: short read
netstat: short read
.....(goes on for miles and miles if i dont ^C)



just in case : kmem and the kernel are linked to the jails dev/null

cube# ll /usr/home/jail/10.0.2.6/dev/kmem
lrwx------  1 root  wheel  4 May 21 17:05
/usr/home/jail/10.0.2.6/dev/kmem -> null
cube# ll /usr/home/jail/10.0.2.6/kernel
lrwxr-xr-x  1 root  wheel  8 May 17 17:08 /usr/home/jail/10.0.2.6/kernel ->
dev/null






-----

Thanks in avance for any possible help

Tom

More information about the freebsd-security mailing list