[nycbug-talk] jail party
Isaac Levy
ike
Wed Sep 8 17:15:29 EDT 2004
Hey Everyone,
I sent this message monday, but I stupidly attached an image so it got
dropped.
The image is now available here:
https://diversaform.com/temp/JailingParty.jpg
--
Hi All,
George G. and Pete W. already gave some reports, but I wanted to
confirm: we ran amok at the jail(8) Virtual Installfest. Everyone who
showed up learned something, taught something, broke something, and we
did some FreeBSD Jailing.
I think Pete even got a jail running in a memory filesystem, but we
were all asleep or afk by then!
--
With that, here's some stuff I wanted to make note of, which there
isn't enough good howto documentation out there, (though the man pages
rock, as expected on a BSD):
FreeBSD 5.x has a new /dev facility, (actually, it's in later 4.x
series too), mount_devfs.
The old way, one would want to remove/restrict the built devfs which
one builds for jails in 4.x.
Setting system immutable flags (schg), and restricting access rebooting
with a high SecureLevel.
Well, under 5.x we now don't 'make' a special devfs, we mount it- just
like the root system- using mount_devfs. So, the mount_devfs facility
is pretty cool- it allows devices to only be accessed according to
rulesets,
"The devfs(5) rule subsystem provides a way for the administrator of a
system to control the attributes of DEVFS nodes." So, an administrator
can much more flexibly control device access from jails- actually
giving special access if necessary, instead of just killing it all...
With flexibility, comes complexity, we all nodded and agreed. But this
is all pretty cool stuff- and we learned more about FreeBSD 5 devices
than I think any of us really understood (I'll speak for myself, than I
understood <g>).
So with man jail, man devfs is wildly important to understand jailing
security in FreeBSD 5.x:
http://www.freebsd.org/cgi/man.cgi?
query=devfs&apropos=0&sektion=0&manpath=FreeBSD+5.2.1-
RELEASE+and+Ports&format=html
--
Anyhow,
Beyond that we were plagued by one funky acting nic, a failing old
keyboard, and a nice sunny holiday weekend- and we all had a great
time. More Ad-Hock Virtual Installfests and hack-a-thons to come
folks?!!?
Rocket-
.ike
For the record, some jailing party wraps:
/etc/motd
----------------------------------------------------
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights
reserved.
FreeBSD 5.2.1-RELEASE (GENERIC) #0: Mon Feb 23 20:45:55 GMT 2004
piegon.brooklyn.informatikburo.net
Welcome to FreeBSD!
_
_ __ (_) ___ __ _ ___ _ __
| '_ \| |/ _ \/ _` |/ _ \| '_ \
| |_) | | __/ (_| | (_) | | | |
| .__/|_|\___|\__, |\___/|_| |_|
|_| |___/
let's get to jailing!!
example jails are in /usr/local/jails
-->IKE suggests we use "template" are our jail world
-->nomadlogic has setup a one liner to start up a
jail in /usr/local/bin/jail_make.sh
-->Have Fun!
----------------------------------------------------
piegon:/home/ike ike$ last
ike ttyp1 192.168.1.22 Tue Sep 7 10:42 still
logged in
geo ttyp1 68.193.227.37 Tue Sep 7 10:03 - 10:06
(00:02)
geo ttyp4 68.193.227.37 Mon Sep 6 23:23 - 08:24
(09:01)
nomadlogic ttyp3 66.245.180.52 Mon Sep 6 22:42 still
logged in
ike ttyp2 192.168.1.22 Mon Sep 6 22:35 still
logged in
geo ttyp1 68.193.227.37 Mon Sep 6 22:26 - 08:25
(09:59)
ike ttyp0 192.168.1.22 Mon Sep 6 21:29 still
logged in
nomadlogic ttyp1 69.86.66.183 Mon Sep 6 11:06 - 12:55
(01:48)
nomadlogic ttyp2 69.86.66.183 Mon Sep 6 11:06 - 12:55
(01:48)
nomadlogic ttyp2 69.86.66.183 Mon Sep 6 10:53 - 11:06
(00:12)
nomadlogic ttyp1 69.86.66.183 Mon Sep 6 10:49 - 11:06
(00:17)
ike ttyp0 192.168.1.22 Mon Sep 6 10:48 - 21:29
(10:40)
reboot ~ Mon Sep 6 10:48
shutdown ~ Mon Sep 6 10:46
nomadlogic ttyp2 69.86.66.183 Mon Sep 6 10:11 - 10:44
(00:32)
nomadlogic ttyp1 69.86.66.183 Mon Sep 6 10:09 - shutdown
(00:36)
nomadlogic ttyp2 69.86.66.183 Mon Sep 6 09:50 - 09:56
(00:06)
ike ttyp0 192.168.1.22 Mon Sep 6 09:20 - shutdown
(01:25)
nomadlogic ttyp1 69.86.66.183 Mon Sep 6 08:55 - 09:56
(01:00)
nomadlogic ttyp1 69.86.66.183 Mon Sep 6 06:38 - 07:30
(00:52)
ike ttyp0 192.168.1.22 Mon Sep 6 06:37 - 09:17
(02:39)
ike ttyv0 Mon Sep 6 06:36 - shutdown
(04:09)
reboot ~ Mon Sep 6 06:36
shutdown ~ Mon Sep 6 06:34
nomadlogic ttyp1 69.86.66.183 Mon Sep 6 06:33 - 06:33
(00:00)
ike ttyp0 192.168.1.22 Mon Sep 6 06:32 - shutdown
(00:01)
ike ttyv0 Mon Sep 6 06:23 - shutdown
(00:10)
reboot ~ Mon Sep 6 06:22
shutdown ~ Mon Sep 6 06:20
ike ttyv0 Mon Sep 6 06:15 - shutdown
(00:05)
reboot ~ Mon Sep 6 06:15
shutdown ~ Mon Sep 6 06:12
ike ttyv0 Mon Sep 6 06:08 - shutdown
(00:04)
reboot ~ Mon Sep 6 06:08
shutdown ~ Mon Sep 6 06:04
ike ttyv0 Mon Sep 6 05:56 - shutdown
(00:08)
reboot ~ Mon Sep 6 05:56
shutdown ~ Mon Sep 6 01:52
shutdown ~ Mon Sep 6 00:37
ike ttyp3 192.168.1.22 Mon Sep 6 00:21 - shutdown
(00:15)
ike ttyp2 192.168.1.22 Mon Sep 6 00:10 - shutdown
(00:26)
geo ttyp1 68.193.227.37 Sun Sep 5 21:52 - 00:32
(02:39)
ray ttyp1 flingpoo.com Sun Sep 5 13:06 - 14:49
(01:42)
nomadlogic ttyp6 69.86.66.183 Sun Sep 5 08:52 - 10:38
(01:46)
geo ttyp5 68.193.227.37 Sun Sep 5 08:36 - 00:32
(15:56)
ike ttyp4 192.168.1.22 Sun Sep 5 08:28 - shutdown
(16:09)
nomadlogic ttyp3 69.86.66.183 Sun Sep 5 08:27 - 10:38
(02:10)
geo ttyp2 68.193.227.37 Sun Sep 5 08:16 - 18:49
(10:32)
nomadlogic ttyp1 69.86.66.183 Sun Sep 5 08:15 - 10:35
(02:19)
ike ttyp0 192.168.1.22 Sun Sep 5 08:15 - shutdown
(16:22)
reboot ~ Sun Sep 5 08:14
shutdown ~ Sun Sep 5 08:12
geo ttyp4 68.193.227.37 Sun Sep 5 07:05 - shutdown
(01:06)
geo ttyp4 68.193.227.37 Sun Sep 5 06:46 - 07:05
(00:19)
nomadlogic ttyp5 66.245.180.52 Sun Sep 5 06:30 - shutdown
(01:42)
geo ttyp6 68.193.227.37 Sun Sep 5 06:28 - 07:23
(00:55)
nomadlogic ttyp5 66.245.180.52 Sun Sep 5 06:21 - 06:29
(00:07)
geo ttyp4 68.193.227.37 Sun Sep 5 06:20 - 06:30
(00:10)
nomadlogic ttyp3 66.245.180.52 Sun Sep 5 06:13 - 07:21
(01:07)
ray ttyp2 flingpoo.com Sun Sep 5 02:00 - shutdown
(06:12)
nomadlogic ttyp4 69.86.66.183 Sun Sep 5 00:38 - 00:47
(00:08)
ray ttyp3 flingpoo.com Sun Sep 5 00:33 - 02:00
(01:27)
nomadlogic ttyp2 69.86.66.183 Sun Sep 5 00:29 - 01:51
(01:22)
ike ttyp1 192.168.1.22 Sun Sep 5 00:20 - shutdown
(07:51)
ike ttyp0 192.168.1.22 Sat Sep 4 13:10 - shutdown
(19:02)
nomadlogic ttyp0 69.86.66.183 Sat Sep 4 06:44 - 08:15
(01:31)
nomadlogic ttyp0 69.86.66.183 Sat Sep 4 06:43 - 06:44
(00:00)
nomadlogic ttyp3 69.86.66.183 Sat Sep 4 06:41 - 08:15
(01:33)
nomadlogic ttyp0 69.86.66.183 Sat Sep 4 06:18 - 06:43
(00:24)
ike ttyp4 151.202.91.232 Sat Sep 4 03:41 - 09:20
(05:39)
nomadlogic ttyp3 66.245.180.52 Sat Sep 4 03:10 - 04:14
(01:04)
nomadlogic ttyp3 66.245.180.52 Sat Sep 4 02:33 - 03:10
(00:37)
ike ttyp2 151.202.91.232 Sat Sep 4 00:53 - 09:20
(08:27)
ike ttyp2 192.168.1.223 Sat Sep 4 00:52 - 00:52
(00:00)
ike ttyp1 151.202.91.232 Sat Sep 4 00:49 - 08:39
(07:50)
nomadlogic ttyp0 63.211.44.194 Fri Sep 3 22:32 - 04:14
(05:41)
ike ttyp1 192.168.1.22 Fri Sep 3 12:48 - 00:46
(11:57)
ike ttyp0 192.168.1.22 Fri Sep 3 12:41 - 22:19
(09:38)
ike ttyv0 Fri Sep 3 12:39 - shutdown
(1+19:33)
reboot ~ Fri Sep 3 12:37
shutdown ~ Fri Sep 3 12:35
ike ttyp1 192.168.1.22 Fri Sep 3 12:35 - shutdown
(00:00)
ike ttyp2 192.168.1.22 Fri Sep 3 08:02 - shutdown
(04:33)
ike ttyp1 192.168.1.22 Fri Sep 3 08:00 - 08:02
(00:01)
ike ttyp0 192.168.1.22 Fri Sep 3 05:48 - shutdown
(06:47)
ike ttyp0 192.168.1.22 Fri Sep 3 05:46 - 05:48
(00:01)
ike ttyp0 192.168.1.22 Fri Sep 3 01:48 - 03:11
(01:23)
beren1hand ttyp1 164.107.250.138 Fri Sep 3 01:44 - 02:03
(00:19)
ike ttyp0 192.168.1.22 Fri Sep 3 01:37 - 01:47
(00:10)
ike ttyp4 192.168.1.22 Thu Sep 2 13:22 - 13:23
(00:01)
ike ttyp3 192.168.1.22 Thu Sep 2 12:47 - 01:01
(12:13)
ike ttyp2 192.168.1.22 Thu Sep 2 01:33 - 01:01
(23:27)
ike ttyp1 192.168.1.22 Thu Sep 2 00:58 - 01:01
(1+00:02)
ike ttyp0 192.168.1.22 Thu Sep 2 00:58 - 01:01
(1+00:02)
ike ttyv0 Thu Sep 2 00:56 - shutdown
(1+11:39)
reboot ~ Thu Sep 2 00:46
shutdown ~ Thu Sep 2 00:44
ike ttyp0 192.168.1.22 Thu Sep 2 00:07 - shutdown
(00:37)
ike ttyv0 Thu Sep 2 00:07 - shutdown
(00:37)
reboot ~ Thu Sep 2 00:07
shutdown ~ Thu Sep 2 00:05
ike ttyp1 192.168.1.22 Wed Sep 1 23:40 - shutdown
(00:24)
ike ttyp0 192.168.1.22 Wed Sep 1 23:35 - shutdown
(00:29)
ike ttyv0 Wed Sep 1 23:35 - shutdown
(00:30)
reboot ~ Wed Sep 1 23:32
shutdown ~ Wed Sep 1 23:30
ike ttyp2 192.168.1.100 Wed Sep 1 23:30 - 23:30
(00:00)
ike ttyp1 192.168.1.22 Wed Sep 1 23:17 - shutdown
(00:12)
ike ttyp0 192.168.1.22 Wed Sep 1 22:46 - shutdown
(00:43)
ike ttyv0 Wed Sep 1 21:11 - shutdown
(02:18)
ike ttyv0 Wed Sep 1 21:10 - 21:11
(00:01)
reboot ~ Wed Sep 1 21:03
shutdown ~ Wed Sep 1 21:01
ike ttyp0 192.168.1.22 Wed Sep 1 20:58 - 21:00
(00:02)
ike ttyv0 Wed Sep 1 20:54 - shutdown
(00:06)
ike ttyv0 Wed Sep 1 20:53 - 20:54
(00:00)
ike ttyv0 Wed Sep 1 20:52 - 20:53
(00:01)
ike ttyv0 Wed Sep 1 20:50 - 20:52
(00:01)
reboot ~ Wed Sep 1 20:47
wtmp begins Wed Sep 1 20:47:26 EDT 2004
piegon:/home/ike ike$
----------------------------------------------------
piegon:/home/ike ike$ dmesg
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
FreeBSD 5.2.1-RELEASE #0: Mon Feb 23 20:45:55 GMT 2004
root at wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC
Preloaded elf kernel "/boot/kernel/kernel" at 0xc0a35000.
Preloaded elf module "/boot/kernel/acpi.ko" at 0xc0a3526c.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel Pentium III (851.94-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x68a Stepping = 10
Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,C
MOV,PAT,PSE36,MMX,FXSR,SSE>
real memory = 536608768 (511 MB)
avail memory = 511578112 (487 MB)
Pentium Pro MTRR support enabled
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <INTEL TR440BXA> on motherboard
pcibios: BIOS version 2.10
Using $PIR table, 7 entries at 0xc00f2a80
acpi0: Power Button (fixed)
Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
acpi_cpu0: <CPU> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib0: slot 7 INTD is routed to irq 5
pcib0: slot 12 INTA is routed to irq 3
pcib0: slot 13 INTA is routed to irq 3
pcib0: slot 14 INTA is routed to irq 10
pcib0: slot 15 INTA is routed to irq 11
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port 0xffa0-0xffaf at device
7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xef80-0xef9f irq
5 at device 7.2 on pci0
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pci0: <bridge, PCI-unknown> at device 7.3 (no driver attached)
fxp0: <Intel 82559 Pro/100 Ethernet> port 0xef00-0xef3f mem
0xfea00000-0xfeafffff,0xfebfe000-0xfebfefff irq 3 at device 12.0 on
pci0
fxp0: Ethernet address 00:02:b3:b1:b0:70
miibus0: <MII bus> on fxp0
inphy0: <i82555 10/100 media interface> on miibus0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1: <Intel 82559 Pro/100 Ethernet> port 0xee80-0xeebf mem
0xfe800000-0xfe8fffff,0xfebfd000-0xfebfdfff irq 3 at device 13.0 on
pci0
fxp1: Ethernet address 00:02:b3:b1:b0:71
miibus1: <MII bus> on fxp1
inphy1: <i82555 10/100 media interface> on miibus1
inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
twe0: <3ware 7000 series Storage Controller. Driver version
1.50.00.000> port 0xefa0-0xefaf irq 10 at device 14.0 on pci0
twe0: 4 ports, Firmware FE6X 1.02.28.053, BIOS BE6X 1.07.02.005
pci0: <display, VGA> at device 15.0 (no driver attached)
acpi_button0: <Sleep Button> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
sio0 port 0x3f8-0x3ff irq 4 on acpi0
sio0: type 16550A
orm0: <Option ROMs> at iomem
0xdc000-0xdffff,0xca800-0xcbfff,0xc9000-0xca7ff,0xc8000
-0xc8fff,0xc0000-0xc7fff on isa0
pmtimer0 on isa0
fdc0: ready for input in output
fdc0: cmd 3 failed at out byte 1 of 3
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on
isa0
Timecounter "TSC" frequency 851936642 Hz quality 800
Timecounters tick every 10.000 msec
acd0: CDROM <CD-224E> at ata1-master PIO4
twed0: <Unit 2, TwinStor, Normal> on twe0
twed0: 76292MB (156247952 sectors)
GEOM: create disk twed0 dp=0xc48dd70c
Mounting root from ufs:/dev/twed0s1a
twe0: AEN: <twe0: port 2: ATA UDMA downgrade>
piegon:/home/ike ike$
More information about the talk
mailing list