Re: Jailing {open,}ntpd
On 27/06/2018 1:17 PM, Dewayne Geraghty wrote: > Hi Roger, I have a similar mental state :) > > Yes, I run ports ntpd within a chroot environment. > > ntpd can run within a jail, but it lacks the priv to perform a syscall > to modify time. Which is correct behaviour, for a restricted > environment; protecting other jailed environs. Previously there was > also an mlock call, which prevented it running but that was changed a > while ago; but that's an aside unless you're running on old "stuff". ;) > > As this is not a security issue, I've removed those interested in that > area from the CC. > > There are a few tricks with chroot, but first a disclaimer: I use jails > for everything except ntpd, so there may be a better way. > > Trick 1. This is how I want ntpd to run > > /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid > > but you can't pass arguments into chroot. So I created a "/start" that > I place my chroot commands into. > > Trick 2. Use ldd to see what libs you need to copy into your chroot. > Also remember, that you must have ld-elf and /dev/null. So > > Using ROOTD as your chroot destination > > mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec ; > > and setup dev > > mkdir $ROOTD/dev > touch $ROOTD/dev/null > chmod 666 $ROOTD/dev/null; # Yes this is sufficient! > > The rest of the files are from the ntpd tarfile. Enjoy ;) > > PS: ntpq wont report due to "servname not supported for ai_socktype"... > no solution yet. > Oops. Running on low memory. Roger, forget trick 1 above, we run our ntp via chroot /usr/chroot/ntp /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid and yes, "ntpq -np 127.0.0.1" works from the base system. Tsk. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jailing {open,}ntpd
Hi Roger, I have a similar mental state :) Yes, I run ports ntpd within a chroot environment. ntpd can run within a jail, but it lacks the priv to perform a syscall to modify time. Which is correct behaviour, for a restricted environment; protecting other jailed environs. Previously there was also an mlock call, which prevented it running but that was changed a while ago; but that's an aside unless you're running on old "stuff". ;) As this is not a security issue, I've removed those interested in that area from the CC. There are a few tricks with chroot, but first a disclaimer: I use jails for everything except ntpd, so there may be a better way. Trick 1. This is how I want ntpd to run /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid but you can't pass arguments into chroot. So I created a "/start" that I place my chroot commands into. Trick 2. Use ldd to see what libs you need to copy into your chroot. Also remember, that you must have ld-elf and /dev/null. So Using ROOTD as your chroot destination mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec ; and setup dev mkdir $ROOTD/dev touch $ROOTD/dev/null chmod 666 $ROOTD/dev/null; # Yes this is sufficient! The rest of the files are from the ntpd tarfile. Enjoy ;) PS: ntpq wont report due to "servname not supported for ai_socktype"... no solution yet. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jailing {open,}ntpd
Why not with according devfs rules?
>Вторник, 26 июня 2018, 23:00 +03:00 от Roger Marquis :
>
>Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux
>container? Can it be done in such a way that a breached daemon would
>not have access to the host?
>
>Roger Marquis
>___
>freebsd-secur...@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to " freebsd-security-unsubscr...@freebsd.org "
С уважением,
John Freeman
quak...@mail.ru
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Jailing {open,}ntpd
Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux
container? Can it be done in such a way that a breached daemon would
not have access to the host?
Roger Marquis
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail related inconsistencies in FreeBSD tools parameters
James Gritton wrote on 2018/06/26 20:42: On 2018-06-23 12:58, Eitan Adler wrote: [...] I was thinking of a more generic one that does id or name. Now that I think about it a bit more, C makes this kind of thing impossible to do usefully. That said, I'll still review and commit any patches to existing tools to make them behave consistently. Yes, jail_getid(3) works with either a numeric ID or a name. I've added a patch to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 for the four programs I've found that need help. I've tested the easy ones (cpuset and sockstat). Thank you very much. I really appreciate your neverending work on jails! I hope it will be committed soon. Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail related inconsistencies in FreeBSD tools parameters
On 2018-06-23 12:58, Eitan Adler wrote: On 23 June 2018 at 08:50, James Gritton wrote: On 2018-06-23 09:45, Eitan Adler wrote: On 23 June 2018 at 08:30, James Gritton wrote: On 2018-06-22 16:03, Miroslav Lachman wrote: Chris H wrote on 2018/06/22 23:46: On Fri, 22 Jun 2018 23:13:17 +0200 "Miroslav Lachman" <000.f...@quip.cz> said I don't know if it is better to discuss it in jail@ or stable@ list so a do cross-post. FreeBSD has many jail aware utilities but they are inconsistent in taking JID as parameter. For example "sockstat" takes -j JID "Show only sockets belonging to the specified jail ID" and it means numeric ID only. On the other hand "ps" takes -J JID "This may be either the jid or name of the jail. Use -J 0 to display only host processes." The same apply for "top", it understands jid as a number or name of the jail too. Then again "cpuset" takes only numerical ID of the jail... Shouldn't it be consistent across all FreeBSD base utilities so all of them can use numerical ID and name? Good idea! Are you offering to create a patch? ;-) It'd be my guess that given they weren't all created at the same time, nor the same individual; that (quite probably?) the "jail" additions were also added at different times, and by different people. So I'd imagine that unless someone with a commit bit decides one day they'd like to take that on. Someone(tm) maybe you? will need to propose a patch. :-) If I can understand C sources I will create the patch by myself instead of just posting here. Unfortunately I am able to code in sh, php and a bit of javascript and perl but no C. :) Miroslav Lachman Sure, a PR would be handy for this - it's a pretty simple thing to add, and consistency would indeed be a good move. Agreed. I'll review and commit such patches. I'd like to see a single function for taking a "id or name". Ideally it would live in a library, perhaps libjail? It already lives there: jail_getid(3) I was thinking of a more generic one that does id or name. Now that I think about it a bit more, C makes this kind of thing impossible to do usefully. That said, I'll still review and commit any patches to existing tools to make them behave consistently. Yes, jail_getid(3) works with either a numeric ID or a name. I've added a patch to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 for the four programs I've found that need help. I've tested the easy ones (cpuset and sockstat). - Jamie ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Handheld Inkjet Printer Manufacturer
Dear Manager, Good day! We independently developed a handheld inkjet printer with good quality, which is widely used and popular throughout different countries. Hope the below product can help you save the costs. Following is one of our model: Item: Handheld Inkjet Printer with Solvent Ink (Quick Dry) - With 3.5 inch touchable screen that you can edit the contents directly via screen or imported the contents from U-disk. - Portable, simple interface and easy to operate. - It can print on different kinds of materials, such as papers, cartons, plastics, glasses, woods, stones, walls, steels pipes, metals, cables, film materials, etc. - It can print Chinese, English letters, numbers, QR code, scan code, barcode, batch code, expiry date, time, counter, symbols, logo, marks, small pictures etc. -We have large data store up to 200 messages. -We have different colors ink: black, red, bule,yellow, white and invisible UV light ink. Any interests please contact us for more information.We can show you our brochure and video. Sample are available, too! Thanks and Regards, -- Kelly Chen Sales Representative Shenzhen Swaroniki Technology Co., Ltd. Mobile & Whatsapp:86-13266685669 Skype: kelly_3167 Web:www.beshengprinters.com ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
