Re: How to login to my jail from host itself (normal user)
On Sat, Nov 12, 2011 at 9:54 PM, masayoshi wrote: > Hi,I am masayoshi. > If you have enough time, please answer my question. > > I must adduser Ayumi as normal user. > After adding her in jail, I add her in host. > Then I type the following command: Correct me if I'm wrong but I think you are confusing FreeBSD Jails with a Jail Shell. The name FreeBSD Jail is confusing because it's based on advanced chrooting but it's really not intended for jailshailing but rather pseudo-virtualization. Maybe you should look at jailkit or something like that. The other option is to create a FBSD Jail only for her, but again I think this is not the right tool for the job. Jail Shell is what you're looking for. -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to login to my jail from host itself (normal user)
- Original Message - > From: "per...@pluto.rain.com" > To: m.sea...@infracaninophile.co.uk > Cc: rocksta...@y7mail.com; freebsd-questions@freebsd.org > Sent: Monday, 14 November 2011 3:02 PM > Subject: Re: How to login to my jail from host itself (normal user) > > Matthew Seaman wrote: > >> If you can rely on your user to follow instructions, then you >> can just tell them to 'ssh jailhost' immediately they login to >> the host ... > > Might it work equally well, and avoid the dependency on following > instructions, to put > > exec ssh jailhost > > in this user's .login on the real host? For me, as I am newbie, it is simple,easy,very very cool idea. Normal user can damage my computer in illegal way. They want to have root authority without permission. She might kill even people. <3 Thanks you for your advice. I can keep her in jail on my host computer. --- Inexperienced FreeBSD user: Level 3 masayoshi & Ayumi Kinoshita http://tinyurl.com/63zg3op ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to login to my jail from host itself (normal user)
Matthew Seaman wrote: > If you can rely on your user to follow instructions, then you > can just tell them to 'ssh jailhost' immediately they login to > the host ... Might it work equally well, and avoid the dependency on following instructions, to put exec ssh jailhost in this user's .login on the real host? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to login to my jail from host itself (normal user)
On 13/11/2011 12:31, Peter Vereshagin wrote: > I'd find it obvious to try to launch getty by mean of jexec by setting the > command in /etc/ttys? > > Something like that: > > ttyv0 "/usr/sbin/jexec `cat /var/run/some_jail.id` /usr/libexec/getty > Pc" cons25 on secure > That might work. Needs testing though -- when someone logs in does init in the host system recognize that the jailed login has taken over the vty from the jail? Or does it just keep spawning new getty processes? Lets see... lucid-nonsense:/etc:# diff -u ttys.save ttys --- ttys.save 2011-11-13 12:49:28.868350588 + +++ ttys2011-11-13 12:50:10.609176357 + @@ -38,7 +38,7 @@ ttyv4 "/usr/libexec/getty Pc" cons25 on secure ttyv5 "/usr/libexec/getty Pc" cons25 on secure ttyv6 "/usr/libexec/getty Pc" cons25 on secure -ttyv7 "/usr/libexec/getty Pc" cons25 on secure +ttyv7 "/usr/sbin/jexec 1 /usr/libexec/getty Pc" cons25 on secure ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure # Serial terminals # The 'dialup' keyword identifies dialin lines to login, fingerd etc. lucid-nonsense:/etc:# kill -HUP 1 lucid-nonsense:/etc:# jexec 1 ps -ax | grep getty 22182 v7 Is+J 0:00.01 /usr/libexec/getty Pc ttyv7 Looking good so far... Wanders into the other room and logs in on the console -- vty7, which identifies itself as the jail. lucid-nonsense:/etc:# ps -auxwww | grep v7 root 22182 0.0 0.0 21700 1676 v7 IsJ 12:50PM 0:00.06 login [pam] (login) matthew22293 0.0 0.0 10312 2524 v7 IJ 12:53PM 0:00.07 -tcsh (tcsh) matthew22299 0.0 0.0 9372 1668 v7 S+J 12:53PM 0:00.11 top root 22362 0.0 0.0 9124 1192 1 S+ 12:56PM 0:00.00 grep v7 Seems to work nicely. Now, does logout work properly? Logs out of the jail lucid-nonsense:/etc:# ps -auxwww | grep v7 root 22390 0.0 0.0 6916 1028 v7 Is+J 12:59PM 0:00.01 /usr/libexec/getty Pc ttyv7 Yep. All works nicely. That's really cool. Definitely needs care to make sure the jail ID matches up to the intended jail. Using m...@freebsd.org's updated jail init stuff from the sysutils/jailrc port and enabling persistent jails probably the way to go there. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: How to login to my jail from host itself (normal user)
Hello. 2011/11/13 09:23:57 + Matthew Seaman => To masayoshi : MS> On 13/11/2011 02:54, masayoshi wrote: MS> > I would like to keep her in jail because she is reckless. Wow! MS> Now, if you want to support console based logins direct to a jail. As MS> far as I know, this is not possible with the FreeBSD console. It would MS> be a really cool thing to be able to do though. Dedicate one of the MS> console vty's to the jail... Unfortunately I don't think that's going MS> to be impossible without code changes to the OS. The problem is init(8) MS> -- the master process on the system, and the process that controls each MS> of the getty(8) programs that watch for login attempts on the various MS> terminals -- that program would require modification so that it knew how MS> to associate a particular vty with a jail, and then manage the login MS> process to create a new login session within the jail. I'd find it obvious to try to launch getty by mean of jexec by setting the command in /etc/ttys? Something like that: ttyv0 "/usr/sbin/jexec `cat /var/run/some_jail.id` /usr/libexec/getty Pc" cons25 on secure -- Peter Vereshagin (http://vereshagin.org) pgp: A0E26627 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to login to my jail from host itself (normal user)
On 13/11/2011 02:54, masayoshi wrote: > I must adduser Ayumi as normal user. > After adding her in jail, I add her in host. > Then I type the following command: > > # ln -s /usr/jails/www/home/ayumi /home > > When she logins, she is in /usr/jails/www/home/ayumi. > But if she uses "cd" command, she can move directory. > > I would like to keep her in jail because she is reckless. > I would like to know how to login to my jail as normal user from host itself > when login prompt appear. > If possible, could you tell me how to do it? > > Thanks in advance. > I assume simply using a restricted shell like rbash is unsuitable? And that you cannot simply give your user an unprivileged login account -- without root access, while they may be able to chdir around the system, there's not much damage they can do accidentally. (Although users are endlessly inventive when it comes to breaking things...) When you say 'login' do you mean at the console? That's going to be fairly tricky to enforce. However if you mean logging in over the net by eg. ssh then to confine the user to a jail is pretty easy. Enable sshd in the jail -- usually this means configuring sshd the host to bind to specific IP numbers rather than '*'. See jail(8) for more details. Then you give the user a working login and password in the jail and not on the host system. Either delete the account in the host or set the login shell to /sbin/nologin and lock the password. Now, if you want to support console based logins direct to a jail. As far as I know, this is not possible with the FreeBSD console. It would be a really cool thing to be able to do though. Dedicate one of the console vty's to the jail... Unfortunately I don't think that's going to be impossible without code changes to the OS. The problem is init(8) -- the master process on the system, and the process that controls each of the getty(8) programs that watch for login attempts on the various terminals -- that program would require modification so that it knew how to associate a particular vty with a jail, and then manage the login process to create a new login session within the jail. About the only way I can think of doing this for a console login is to use X and set up xdm(8) to enable its remote login capability, in which case you get a pull-down on the login screen to allow you to choose which host to log into. But I've never tried to set up a system like this, so I can't really say if its possible or not. My educated guess is that it should work, but it's quite an ambitious project for a beginner. It would be nice if you could just force the login process on the host to run something like 'jexec -U $USER 1 /bin/tcsh' but that's a command you need root privilege for, so scratch that. Also, it's pretty dodgy to assume that the jail you want is always going to be running with JID=1. If you can rely on your user to follow instructions, then you can just tell them to 'ssh jailhost' immediately they login to the host, and set up sshd in the jail as described above. This means they will have to have a working login on the host system, but you can make that be an unprivileged account without root access or access to anything else sensitive. Their account in the jail can have root there, no problem. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
