A jail notion.

Dewayne Geraghty dewayne.geraghty at heuristicsystems.com.au
Wed Sep 4 22:23:12 UTC 2019 

Zaphond,

I've had the same problem.  Even after merging all UIDs, GIDs into the
host environment (preferably with appropriate replacements of:
/nonexistent:/usr/sbin/nologin), I was confronted with the same uid
across multiple jails.  So really "ps -o jid,pid,command" and "top -j"
are useful - and it takes minor effort.  However, the problem is with
/var/audit logs - the subject really needs a jail id field, but that's
not quite on-topic.

Kerberos users still require/have a userid - either as a person
(account) or an application (account); if you go this route linking
heimdal and openldap work nicely - I used to use these together with
pre-samba4.X but you still need an account; while post-samba3, you'll
need to modify nsswitch.conf so the system can find a userid mapping.
NIS was helpful but for our env, unsuitable, as we didn't want all xID's
exposed in the jails.

FWIW I added this to acquire jail id information in the /var/audit logs
(a very long time ago-not my original idea, I just met the need)

--- /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c
(revision 351800)
+++ /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c      (working
copy)
@@ -172,6 +172,7 @@
        fprintf(stderr, "\t\t pid=<ID>\n");
        fprintf(stderr, "\t\t semid=<ID>\n");
        fprintf(stderr, "\t\t shmid=<ID>\n");
+       fprintf(stderr, "\t\t zone=<ID>\n");
        fprintf(stderr, "\t-r <uid|name> : real user\n");
        fprintf(stderr, "\t-u <uid|name> : audit user\n");
        fprintf(stderr, "\t-v : select non-matching records\n");
@@ -593,6 +594,9 @@
        } else if (!strcmp(name, SOCKOBJ)) {
                p_sockobj = val;
                SETOPT(opttochk, OPT_oso);
+        } else if (!strcmp(name, ZONEOBJ)) {
+                p_sockobj = val;
+                SETOPT(opttochk, OPT_z);
        } else
                usage("unknown value for -o");
 }
Index: /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h
===================================================================
--- /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h
(revision 351800)
+++ /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.h      (working
copy)
@@ -57,6 +57,7 @@
 #define OPT_u  0x00010000
 #define OPT_A  0x00020000
 #define OPT_v  0x00040000
+#define OPT_z  0x00080000 /* zone token */

 #define FILEOBJ "file"
 #define MSGQIDOBJ "msgqid"
@@ -64,6 +65,7 @@
 #define SEMIDOBJ "semid"
 #define SHMIDOBJ "shmid"
 #define SOCKOBJ "sock"
+#define ZONEOBJ "zonename" /* aka jail */

More information about the freebsd-hackers mailing list