Re: How to login to my jail from host itself (normal user)

2011-11-14 Thread Alejandro Imass
On Sat, Nov 12, 2011 at 9:54 PM, masayoshi rocksta...@y7mail.com wrote:
 Hi,I am masayoshi.
 If you have enough time, please answer my question.

 I must adduser Ayumi as normal user.
 After adding her in jail, I add her in host.
 Then I type the following command:

Correct me if I'm wrong but I think you are confusing FreeBSD Jails
with a Jail Shell. The name FreeBSD Jail is confusing because it's
based on advanced chrooting but it's really not intended for
jailshailing but rather pseudo-virtualization. Maybe you should look
at jailkit or something like that. The other option is to create a
FBSD Jail only for her, but again I think this is not the right tool
for the job. Jail Shell is what you're looking for.

-- 
Alejandro Imass
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: How to login to my jail from host itself (normal user)

2011-11-13 Thread Matthew Seaman
On 13/11/2011 02:54, masayoshi wrote:
 I must adduser Ayumi as normal user.
 After adding her in jail, I add her in host.
 Then I type the following command:
 
 # ln -s /usr/jails/www/home/ayumi  /home
 
 When she logins, she is in /usr/jails/www/home/ayumi.
 But if she uses cd command, she can move directory.
 
 I would like to keep her in jail because she is reckless.
 I would like to know how to login to my jail as normal user from host itself 
 when login prompt appear.
 If possible, could you tell me how to do it?
 
 Thanks in advance.
 

I assume simply using a restricted shell like rbash is unsuitable?   And
that you cannot simply give your user an unprivileged login account --
without root access, while they may be able to chdir around the system,
there's not much damage they can do accidentally.  (Although users are
endlessly inventive when it comes to breaking things...)

When you say 'login' do you mean at the console?  That's going to be
fairly tricky to enforce.  However if you mean logging in over the net
by eg. ssh then to confine the user to a jail is pretty easy. Enable
sshd in the jail -- usually this means configuring sshd the host to bind
to specific IP numbers rather than '*'.  See jail(8) for more details.
Then you give the user a working login and password in the jail and not
on the host system.  Either delete the account in the host or set the
login shell to /sbin/nologin and lock the password.

Now, if you want to support console based logins direct to a jail.  As
far as I know, this is not possible with the FreeBSD console.  It would
be a really cool thing to be able to do though.  Dedicate one of the
console vty's to the jail...  Unfortunately I don't think that's going
to be impossible without code changes to the OS.  The problem is init(8)
-- the master process on the system, and the process that controls each
of the getty(8) programs that watch for login attempts on the various
terminals -- that program would require modification so that it knew how
to associate a particular vty with a jail, and then manage the login
process to create a new login session within the jail.

About the only way I can think of doing this for a console login is to
use X and set up xdm(8) to enable its remote login capability, in which
case you get a pull-down on the login screen to allow you to choose
which host to log into.  But I've never tried to set up a system like
this, so I can't really say if its possible or not.  My educated guess
is that it should work, but it's quite an ambitious project for a beginner.

It would be nice if you could just force the login process on the host
to run something like 'jexec -U $USER 1 /bin/tcsh' but that's a command
you need root privilege for, so scratch that.  Also, it's pretty dodgy
to assume that the jail you want is always going to be running with JID=1.

If you can rely on your user to follow instructions, then you can just
tell them to 'ssh jailhost' immediately they login to the host, and set
up sshd in the jail as described above.  This means they will have to
have a working login on the host system, but you can make that be an
unprivileged account without root access or access to anything else
sensitive.  Their account in the jail can have root there, no problem.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature


Re: How to login to my jail from host itself (normal user)

2011-11-13 Thread Peter Vereshagin
Hello.

2011/11/13 09:23:57 + Matthew Seaman m.sea...@infracaninophile.co.uk = 
To masayoshi :
MS On 13/11/2011 02:54, masayoshi wrote:
MS  I would like to keep her in jail because she is reckless.

Wow!

MS Now, if you want to support console based logins direct to a jail.  As
MS far as I know, this is not possible with the FreeBSD console.  It would
MS be a really cool thing to be able to do though.  Dedicate one of the
MS console vty's to the jail...  Unfortunately I don't think that's going
MS to be impossible without code changes to the OS.  The problem is init(8)
MS -- the master process on the system, and the process that controls each
MS of the getty(8) programs that watch for login attempts on the various
MS terminals -- that program would require modification so that it knew how
MS to associate a particular vty with a jail, and then manage the login
MS process to create a new login session within the jail.

I'd find it obvious to try to launch getty by mean of jexec by setting the 
command in /etc/ttys?

Something like that:

ttyv0   /usr/sbin/jexec `cat /var/run/some_jail.id` /usr/libexec/getty Pc 
cons25  on  secure

--
Peter Vereshagin pe...@vereshagin.org (http://vereshagin.org) pgp: A0E26627 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: How to login to my jail from host itself (normal user)

2011-11-13 Thread Matthew Seaman
On 13/11/2011 12:31, Peter Vereshagin wrote:
 I'd find it obvious to try to launch getty by mean of jexec by setting the 
 command in /etc/ttys?
 
 Something like that:
 
 ttyv0   /usr/sbin/jexec `cat /var/run/some_jail.id` /usr/libexec/getty 
 Pc cons25  on  secure
 

That might work.  Needs testing though -- when someone logs in does init
in the host system recognize that the jailed login has taken over the
vty from the jail?  Or does it just keep spawning new getty processes?

Lets see...

lucid-nonsense:/etc:# diff -u ttys.save ttys
--- ttys.save   2011-11-13 12:49:28.868350588 +
+++ ttys2011-11-13 12:50:10.609176357 +
@@ -38,7 +38,7 @@
 ttyv4  /usr/libexec/getty Pc cons25  on  secure
 ttyv5  /usr/libexec/getty Pc cons25  on  secure
 ttyv6  /usr/libexec/getty Pc cons25  on  secure
-ttyv7  /usr/libexec/getty Pc cons25  on  secure
+ttyv7  /usr/sbin/jexec 1 /usr/libexec/getty Pc   cons25  on  
secure
 ttyv8  /usr/local/bin/xdm -nodaemon  xterm   off secure
 # Serial terminals
 # The 'dialup' keyword identifies dialin lines to login, fingerd etc.

lucid-nonsense:/etc:# kill -HUP 1
lucid-nonsense:/etc:# jexec 1 ps -ax | grep getty
22182  v7  Is+J   0:00.01 /usr/libexec/getty Pc ttyv7

Looking good so far...

fx Wanders into the other room and logs in on the console -- vty7,
which identifies itself as the jail.

lucid-nonsense:/etc:# ps -auxwww | grep v7
root   22182  0.0  0.0 21700  1676  v7  IsJ  12:50PM   0:00.06 login
[pam] (login)
matthew22293  0.0  0.0 10312  2524  v7  IJ   12:53PM   0:00.07 -tcsh
(tcsh)
matthew22299  0.0  0.0  9372  1668  v7  S+J  12:53PM   0:00.11 top
root   22362  0.0  0.0  9124  1192   1  S+   12:56PM   0:00.00 grep v7

Seems to work nicely.  Now, does logout work properly?

fxLogs out of the jail

lucid-nonsense:/etc:# ps -auxwww | grep v7
root   22390  0.0  0.0  6916  1028  v7  Is+J 12:59PM   0:00.01
/usr/libexec/getty Pc ttyv7

Yep.  All works nicely.  That's really cool.

Definitely needs care to make sure the jail ID matches up to the
intended jail.  Using m...@freebsd.org's updated jail init stuff from the
sysutils/jailrc port and enabling persistent jails probably the way to
go there.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature


Re: How to login to my jail from host itself (normal user)

2011-11-13 Thread perryh
Matthew Seaman m.sea...@infracaninophile.co.uk wrote:

 If you can rely on your user to follow instructions, then you
 can just tell them to 'ssh jailhost' immediately they login to
 the host ...

Might it work equally well, and avoid the dependency on following
instructions, to put

  exec ssh jailhost

in this user's .login on the real host?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: How to login to my jail from host itself (normal user)

2011-11-13 Thread masayoshi
- Original Message -

 From: per...@pluto.rain.com per...@pluto.rain.com
 To: m.sea...@infracaninophile.co.uk
 Cc: rocksta...@y7mail.com; freebsd-questions@freebsd.org
 Sent: Monday, 14 November 2011 3:02 PM
 Subject: Re: How to login to my jail from host itself (normal user)
 
 Matthew Seaman m.sea...@infracaninophile.co.uk wrote:
 
  If you can rely on your user to follow instructions, then you
  can just tell them to 'ssh jailhost' immediately they login to
  the host ...
 
 Might it work equally well, and avoid the dependency on following
 instructions, to put
 
   exec ssh jailhost
 
 in this user's .login on the real host?


For me, as I am newbie, it is simple,easy,very very cool idea.
Normal user can damage my computer in illegal way.
They want to have root authority without permission.

She might kill even people. 3
Thanks you for your advice.
I can keep her in jail on my host computer.


 


---
Inexperienced FreeBSD user: Level 3
masayoshi  Ayumi Kinoshita
http://tinyurl.com/63zg3op
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org