Re: Jailed X applications

Mon, 20 Aug 2007 01:15:01 -0700

Quoting mal content <[EMAIL PROTECTED]> (from Fri, 17 Aug 2007 17:00:00 +0100): 


On 17/08/07, Alexander Leidinger <[EMAIL PROTECTED]> wrote:

Quoting mal content <[EMAIL PROTECTED]> (from Fri, 17 Aug



> Has anyone here ever successfully set up a jail for X apps, connecting
> to an external X server? I'm trying an experimental sandbox setup here.

I have my X server itself in a jail (needs a kernel patch and some
devfs rules), and in the past connected to a jail and started a X11
programm there... IIRC.


I think you may misunderstand me. In this setup, my X
server is actually running on my host, outside of any
jail. I intend for programs running inside the jail
to connect to the X server with TCP/IP:



I haven't misunderstood you. I just explained that I even have a more  
restrictive configuration running.



  ssh -N -L 6000:hostip:6000 [EMAIL PROTECTED] &
  xterm -display 127.0.0.1:6000



ssh itself opens an X11 tunnel for you if you use -X (xauth has to be  
present on ... both(?) hosts), it also sets the DISPLAY variable. So  
maybe

   ssh -f -X [EMAIL PROTECTED] xterm &
would be a better idea.


You command maybe misses the -g for ssh, or alternatively use -R  
instead of -L. -T disables the allocation of a pseudoi-tty, but this  
should not be necessary, try all the other possibilities first (you  
can use -v to get some more information what ssh does).



The intention is to also place some sort of custom X
proxy before the actual server, to do inspection on the
protocol before it is passed to the real server. This
is for later, however.



Should be possible even with the built-in X-tunnel (just give the  
value of the ssh DISPLAY to the proxy).



ssh uses a tty (pty?), but normally you have some in a jail. How do
you start the jail? There should be devfs mounted in the jail.



I'm using a jail created with ezjail from ports. The
jail has both a devfs and fdescfs mounted inside (it uses
the standard jail devfs rules). The ezjail documentation
suggests that it uses the standard /etc/rc.d/jail script
to start jails, a quick look at the source seems to
confirm it.


I use ezjail myself, so this is most probably not the problem.

Bye,
Alexander.

--
God isn't dead, he just couldn't find a parking place.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to