Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 1999-q3

FreeBSD Security Archives: Re: Should jail treat ip-number?

Re: Should jail treat ip-number?

Pierre Beyssac (beyssacenst.fr)
Wed, 10 Nov 1999 01:39:13 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Nicholas Brawn: "Status of Passwords/etc in FreeBSD-stable"
Previous message: Giorgos Keramidas: "Re: Port 137 hitting my server"
In reply to: Larry Sica: "Re: Port 137 hitting my server"

On Tue, Nov 09, 1999 at 12:54:45PM +0900, Yoshinobu Inoue wrote:
> Currentlly jail set an ip-number and let prisoned processes
> only to bind it.

[ the current jail(2) interface and its future WRT IPv6 ]

> I think kernel change will not so much for any above addition
> or changes, but there will be some backword compatibility
> issue for API. (some member addition to the jail structure,
> and jail command extensions)

There's been a discussion a few weeks ago on freebsd-security on
this very matter. See attached mail below.

The conclusion was that jail(2) should be fixed to use a sockaddr
instead of a 32 bit int to specify the address.

That seems to be the first logical step, even before making jail(2)
IPv6-compliant.

Pierre

Date: Sun, 19 Sep 1999 11:58:39 -0400 (EDT)
From: Garrett Wollman <wollmankhavrinen.lcs.mit.edu>
Message-Id: <199909191558.LAA64750khavrinen.lcs.mit.edu>
To: Matthew Dillon <dillonapollo.backplane.com>
Cc: Poul-Henning Kamp <phkcritter.freebsd.dk>, securityFreeBSD.ORG
Subject: Re: BPF on in 3.3-RC GENERIC kernel
In-Reply-To: <199909190551.WAA68627apollo.backplane.com>
References: <12516.937680952critter.freebsd.dk>
<199909190551.WAA68627apollo.backplane.com>

<<On Sat, 18 Sep 1999 22:51:14 -0700 (PDT), Matthew Dillon <dillonapollo.backplane.com> said:

> struct sockaddr is the standard for specifying an IP address. Jail
> isn't using it, not even for IPV4. It's using an unsigned 32 bit int.
> Hell, it isn't even using a struct in_addr! The field is plain and
> simply inappropriately specified in the structure.

For once, I agree with Matt. As titular networking czar, I'm asking
you, Poul, to please fix the interface.

-GAWollman

-- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman

lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

Next message: Nicholas Brawn: "Status of Passwords/etc in FreeBSD-stable"
Previous message: Giorgos Keramidas: "Re: Port 137 hitting my server"
In reply to: Larry Sica: "Re: Port 137 hitting my server"

This archive was generated by hypermail 2.0b3 on Tue Nov 09 1999 - 18:39:50 CST