[Midnightbsd-cvs] src: usr.sbin/jls: merge
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Mon Nov 24 20:31:19 EST 2008
Log Message:
-----------
merge
Modified Files:
--------------
src/usr.sbin/jail:
jail.8 (r1.1.1.2 -> r1.2)
jail.c (r1.1.1.2 -> r1.2)
src/usr.sbin/jexec:
Makefile (r1.1.1.1 -> r1.2)
jexec.8 (r1.1.1.1 -> r1.2)
jexec.c (r1.1.1.1 -> r1.2)
src/usr.sbin/jls:
jls.c (r1.1.1.1 -> r1.2)
-------------- next part --------------
Index: jail.8
===================================================================
RCS file: /home/cvs/src/usr.sbin/jail/jail.8,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L usr.sbin/jail/jail.8 -L usr.sbin/jail/jail.8 -u -r1.1.1.2 -r1.2
--- usr.sbin/jail/jail.8
+++ usr.sbin/jail/jail.8
@@ -31,9 +31,9 @@
.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
.\" ----------------------------------------------------------------------------
.\"
-.\" $FreeBSD: src/usr.sbin/jail/jail.8,v 1.67.2.4 2006/01/30 00:38:37 philip Exp $
+.\" $FreeBSD: src/usr.sbin/jail/jail.8,v 1.84 2007/04/05 21:17:52 pjd Exp $
.\"
-.Dd August 7, 2005
+.Dd April 5, 2007
.Dt JAIL 8
.Os
.Sh NAME
@@ -43,6 +43,7 @@
.Nm
.Op Fl i
.Op Fl J Ar jid_file
+.Op Fl s Ar securelevel
.Op Fl l u Ar username | Fl U Ar username
.Ar path hostname ip-number command ...
.Sh DESCRIPTION
@@ -55,7 +56,9 @@
.It Fl i
Output the jail identifier of the newly created jail.
.It Fl J Ar jid_file
-Write a JidFile, like a PidFile, containing jailid, path, hostname, ip and
+Write a
+.Ar jid_file
+file, containing jail identifier, path, hostname, IP and
command used to start the jail.
.It Fl l
Run program in the clean environment.
@@ -73,6 +76,10 @@
is imported from the current environment.
The environment variables from the login class capability database for the
target login are also set.
+.It Fl s Ar securelevel
+Sets the
+.Va kern.securelevel
+sysctl variable to the specified value inside the newly created jail.
.It Fl u Ar username
The user name from host environment as whom the
.Ar command
@@ -114,17 +121,18 @@
man page for further details.
.Sh EXAMPLES
.Ss "Setting up a Jail Directory Tree"
-This example shows how to set up a jail directory tree
-containing an entire
+To set up a jail directory tree containing an entire
.Fx
-distribution:
+distribution, the following
+.Xr sh 1
+command script can be used:
.Bd -literal
D=/here/is/the/jail
cd /usr/src
mkdir -p $D
make world DESTDIR=$D
make distribution DESTDIR=$D
-mount_devfs devfs $D/dev
+mount -t devfs devfs $D/dev
.Ed
.Pp
NOTE: It is important that only appropriate device nodes in devfs be
@@ -135,6 +143,8 @@
.Xr devfs 8
for information on how to use devfs rules to limit access to entries
in the per-jail devfs.
+A simple devfs ruleset for jails is available as ruleset #4 in
+.Pa /etc/defaults/devfs.rules .
.Pp
In many cases this example would put far more in the jail than needed.
In the other extreme case a jail might contain only one file:
@@ -153,7 +163,7 @@
to build the jail directory tree.
For the sake of this example, we will
assume you built it in
-.Pa /data/jail/192.168.11.100 ,
+.Pa /data/jail/192.0.2.100 ,
named for the jailed IP address.
Substitute below as needed with your
own directory, IP address, and hostname.
@@ -179,11 +189,11 @@
in the host environment:
.Bd -literal -offset indent
sendmail_enable="NO"
-inetd_flags="-wW -a 192.168.11.23"
+inetd_flags="-wW -a 192.0.2.23"
rpcbind_enable="NO"
.Ed
.Pp
-.Li 192.168.11.23
+.Li 192.0.2.23
is the native IP address for the host system, in this example.
Daemons that run out of
.Xr inetd 8
@@ -252,7 +262,7 @@
.Pp
Start a shell in the jail:
.Pp
-.Dl "jail /data/jail/192.168.11.100 testhostname 192.168.11.100 /bin/sh"
+.Dl "jail /data/jail/192.0.2.100 testhostname 192.0.2.100 /bin/sh"
.Pp
Assuming no errors, you will end up with a shell prompt within the jail.
You can now run
@@ -305,7 +315,7 @@
.Xr syslogd 8
in the host environment to listen on the syslog socket in the jail
environment; in this example, the syslog socket would be stored in
-.Pa /data/jail/192.168.11.100/var/run/log .
+.Pa /data/jail/192.0.2.100/var/run/log .
.Pp
Exit from the shell, and the jail will be shut down.
.Ss "Starting the Jail"
@@ -332,9 +342,9 @@
If you do decide to set this variable,
it must be set before starting any jails, and once each boot.
.Bd -literal -offset indent
-ifconfig ed0 inet alias 192.168.11.100/32
-mount -t procfs proc /data/jail/192.168.11.100/proc
-jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \\
+ifconfig ed0 inet alias 192.0.2.100/32
+mount -t procfs proc /data/jail/192.0.2.100/proc
+jail /data/jail/192.0.2.100 testhostname 192.0.2.100 \\
/bin/sh /etc/rc
.Ed
.Pp
@@ -536,8 +546,32 @@
privileged, and may manipulate system file flags subject to the usual
constraints on
.Va kern.securelevel .
+.It Va security.jail.mount_allowed
+This MIB entry determines if a privileged user inside a jail will be
+able to mount and unmount file system types marked as jail-friendly.
+The
+.Xr lsvfs 1
+command can be used to find file system types available for mount from within
+a jail.
+This functionality is disabled by default, but can be enabled by setting this
+MIB entry to 1.
.El
.Pp
+The read-only sysctl variable
+.Va security.jail.jailed
+can be used to determine if a process is running inside a jail (value
+is one) or not (value is zero).
+.Pp
+The
+.Va security.jail.list
+MIB entry is read-only and it returns an array of
+.Vt "struct xprison"
+defined in
+.In sys/jail.h .
+It is recommended to use the
+.Xr jls 8
+utility to see current active list of jails.
+.Pp
There are currently two MIB related variables that have per-jail settings.
Changes to these variables by a jailed process do not effect the host
environment, only the jail environment.
@@ -547,6 +581,7 @@
.Va kern.hostname .
.Sh SEE ALSO
.Xr killall 1 ,
+.Xr lsvfs 1 ,
.Xr newaliases 1 ,
.Xr pgrep 1 ,
.Xr pkill 1 ,
@@ -562,7 +597,7 @@
.Xr inetd 8 ,
.Xr jexec 8 ,
.Xr jls 8 ,
-.Xr mount_devfs 8 ,
+.Xr mount 8 ,
.Xr named 8 ,
.Xr reboot 8 ,
.Xr rpcbind 8 ,
Index: jail.c
===================================================================
RCS file: /home/cvs/src/usr.sbin/jail/jail.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L usr.sbin/jail/jail.c -L usr.sbin/jail/jail.c -u -r1.1.1.2 -r1.2
--- usr.sbin/jail/jail.c
+++ usr.sbin/jail/jail.c
@@ -8,10 +8,11 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/usr.sbin/jail/jail.c,v 1.20.2.1 2006/01/30 00:38:37 philip Exp $");
+__FBSDID("$FreeBSD: src/usr.sbin/jail/jail.c,v 1.25 2006/05/12 15:14:43 matteo Exp $");
#include <sys/param.h>
#include <sys/jail.h>
+#include <sys/sysctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
@@ -54,17 +55,19 @@
struct passwd *pwd = NULL;
struct in_addr in;
gid_t groups[NGROUPS];
- int ch, i, iflag, Jflag, lflag, ngroups, uflag, Uflag;
- char path[PATH_MAX], *username, *JidFile;
+ int ch, i, iflag, Jflag, lflag, ngroups, securelevel, uflag, Uflag;
+ char path[PATH_MAX], *ep, *username, *JidFile;
static char *cleanenv;
const char *shell, *p = NULL;
+ long ltmp;
FILE *fp;
iflag = Jflag = lflag = uflag = Uflag = 0;
+ securelevel = -1;
username = JidFile = cleanenv = NULL;
fp = NULL;
- while ((ch = getopt(argc, argv, "ilu:U:J:")) != -1) {
+ while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) {
switch (ch) {
case 'i':
iflag = 1;
@@ -73,6 +76,12 @@
JidFile = optarg;
Jflag = 1;
break;
+ case 's':
+ ltmp = strtol(optarg, &ep, 0);
+ if (*ep || ep == optarg || ltmp > INT_MAX || !ltmp)
+ errx(1, "invalid securelevel: `%s'", optarg);
+ securelevel = ltmp;
+ break;
case 'u':
username = optarg;
uflag = 1;
@@ -130,6 +139,11 @@
errx(1, "Could not write JidFile: %s", JidFile);
}
}
+ if (securelevel > 0) {
+ if (sysctlbyname("kern.securelevel", NULL, 0, &securelevel,
+ sizeof(securelevel)))
+ err(1, "Can not set securelevel to %d", securelevel);
+ }
if (username != NULL) {
if (Uflag)
GET_USER_INFO;
@@ -142,7 +156,7 @@
if (setgid(pwd->pw_gid) != 0)
err(1, "setgid");
if (setusercontext(lcap, pwd, pwd->pw_uid,
- LOGIN_SETALL & ~LOGIN_SETGROUP) != 0)
+ LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
err(1, "setusercontext");
login_close(lcap);
}
@@ -168,8 +182,9 @@
usage(void)
{
- (void)fprintf(stderr, "%s%s\n",
- "usage: jail [-i] [-J jid_file] [-l -u username | -U username]",
+ (void)fprintf(stderr, "%s%s%s\n",
+ "usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ",
+ "username | -U username]",
" path hostname ip-number command ...");
exit(1);
}
Index: jexec.c
===================================================================
RCS file: /home/cvs/src/usr.sbin/jexec/jexec.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L usr.sbin/jexec/jexec.c -L usr.sbin/jexec/jexec.c -u -r1.1.1.1 -r1.2
--- usr.sbin/jexec/jexec.c
+++ usr.sbin/jexec/jexec.c
@@ -23,33 +23,91 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/usr.sbin/jexec/jexec.c,v 1.2 2003/07/04 19:14:27 bmilekic Exp $
+ * $FreeBSD: src/usr.sbin/jexec/jexec.c,v 1.4 2006/09/29 17:04:03 ru Exp $
*/
#include <sys/param.h>
#include <sys/jail.h>
#include <err.h>
+#include <errno.h>
+#include <login_cap.h>
#include <stdio.h>
#include <stdlib.h>
+#include <pwd.h>
#include <unistd.h>
static void usage(void);
+#define GET_USER_INFO do { \
+ pwd = getpwnam(username); \
+ if (pwd == NULL) { \
+ if (errno) \
+ err(1, "getpwnam: %s", username); \
+ else \
+ errx(1, "%s: no such user", username); \
+ } \
+ lcap = login_getpwclass(pwd); \
+ if (lcap == NULL) \
+ err(1, "getpwclass: %s", username); \
+ ngroups = NGROUPS; \
+ if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \
+ err(1, "getgrouplist: %s", username); \
+} while (0)
+
int
main(int argc, char *argv[])
{
int jid;
-
- if (argc < 3)
+ login_cap_t *lcap = NULL;
+ struct passwd *pwd = NULL;
+ gid_t groups[NGROUPS];
+ int ch, ngroups, uflag, Uflag;
+ char *username;
+ ch = uflag = Uflag = 0;
+ username = NULL;
+
+ while ((ch = getopt(argc, argv, "u:U:")) != -1) {
+ switch (ch) {
+ case 'u':
+ username = optarg;
+ uflag = 1;
+ break;
+ case 'U':
+ username = optarg;
+ Uflag = 1;
+ break;
+ default:
+ usage();
+ }
+ }
+ argc -= optind;
+ argv += optind;
+ if (argc < 2)
+ usage();
+ if (uflag && Uflag)
usage();
- jid = (int)strtol(argv[1], NULL, 10);
+ if (uflag)
+ GET_USER_INFO;
+ jid = (int)strtol(argv[0], NULL, 10);
if (jail_attach(jid) == -1)
err(1, "jail_attach(): %d", jid);
if (chdir("/") == -1)
err(1, "chdir(): /");
- if (execvp(argv[2], argv + 2) == -1)
- err(1, "execvp(): %s", argv[2]);
+ if (username != NULL) {
+ if (Uflag)
+ GET_USER_INFO;
+ if (setgroups(ngroups, groups) != 0)
+ err(1, "setgroups");
+ if (setgid(pwd->pw_gid) != 0)
+ err(1, "setgid");
+ if (setusercontext(lcap, pwd, pwd->pw_uid,
+ LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
+ err(1, "setusercontext");
+ login_close(lcap);
+ }
+ if (execvp(argv[1], argv + 1) == -1)
+ err(1, "execvp(): %s", argv[1]);
exit(0);
}
@@ -57,6 +115,8 @@
usage(void)
{
- fprintf(stderr, "usage: jexec jid command [...]\n");
+ fprintf(stderr, "%s%s\n",
+ "usage: jexec [-u username | -U username]",
+ " jid command ...");
exit(1);
}
Index: jexec.8
===================================================================
RCS file: /home/cvs/src/usr.sbin/jexec/jexec.8,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L usr.sbin/jexec/jexec.8 -L usr.sbin/jexec/jexec.8 -u -r1.1.1.1 -r1.2
--- usr.sbin/jexec/jexec.8
+++ usr.sbin/jexec/jexec.8
@@ -23,9 +23,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/usr.sbin/jexec/jexec.8,v 1.2 2003/05/31 18:24:40 ru Exp $
+.\" $FreeBSD: src/usr.sbin/jexec/jexec.8,v 1.4 2006/09/29 17:57:02 ru Exp $
.\"
-.Dd April 8, 2003
+.Dd April 19, 2006
.Dt JEXEC 8
.Os
.Sh NAME
@@ -33,6 +33,7 @@
.Nd "execute a command inside an existing jail"
.Sh SYNOPSIS
.Nm
+.Op Fl u Ar username | Fl U Ar username
.Ar jid command ...
.Sh DESCRIPTION
The
@@ -41,6 +42,18 @@
.Ar command
inside the jail identified by
.Ar jid .
+.Pp
+The following options are available:
+.Bl -tag -width indent
+.It Fl u Ar username
+The user name from host environment as whom the
+.Ar command
+should run.
+.It Fl U Ar username
+The user name from jailed environment as whom the
+.Ar command
+should run.
+.El
.Sh SEE ALSO
.Xr jail_attach 2 ,
.Xr jail 8 ,
Index: Makefile
===================================================================
RCS file: /home/cvs/src/usr.sbin/jexec/Makefile,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L usr.sbin/jexec/Makefile -L usr.sbin/jexec/Makefile -u -r1.1.1.1 -r1.2
--- usr.sbin/jexec/Makefile
+++ usr.sbin/jexec/Makefile
@@ -1,7 +1,9 @@
-# $FreeBSD: src/usr.sbin/jexec/Makefile,v 1.1 2003/04/09 03:04:12 mike Exp $
+# $FreeBSD: src/usr.sbin/jexec/Makefile,v 1.2 2006/04/19 10:12:10 delphij Exp $
PROG= jexec
MAN= jexec.8
+DPADD= ${LIBUTIL}
+LDADD= -lutil
WARNS?= 6
.include <bsd.prog.mk>
Index: jls.c
===================================================================
RCS file: /home/cvs/src/usr.sbin/jls/jls.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L usr.sbin/jls/jls.c -L usr.sbin/jls/jls.c -u -r1.1.1.1 -r1.2
--- usr.sbin/jls/jls.c
+++ usr.sbin/jls/jls.c
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/usr.sbin/jls/jls.c,v 1.3.12.1 2005/08/19 11:09:11 pjd Exp $
+ * $FreeBSD: src/usr.sbin/jls/jls.c,v 1.5 2005/08/19 11:03:49 pjd Exp $
*/
#include <sys/param.h>
More information about the Midnightbsd-cvs
mailing list