Jailed X applications

[mal content]

On 17/08/07, Alexander Leidinger <Alexander at leidinger.net> wrote:
> Quoting mal content <artifact.one at googlemail.com> (from Fri, 17 Aug
> 2007 06:10:39 +0100):
>
> This is better suited for freebsd-jail@ (CCed), please remove
> freebsd-security@ on reply to move the discussion there.
>

Gotcha.

> > Has anyone here ever successfully set up a jail for X apps, connecting
> > to an external X server? I'm trying an experimental sandbox setup here.
>
> I have my X server itself in a jail (needs a kernel patch and some
> devfs rules), and in the past connected to a jail and started a X11
> programm there... IIRC.

I think you may misunderstand me. In this setup, my X
server is actually running on my host, outside of any
jail. I intend for programs running inside the jail
to connect to the X server with TCP/IP:

  ssh -N -L 6000:hostip:6000 x at hostip &
  xterm -display 127.0.0.1:6000

The intention is to also place some sort of custom X
proxy before the actual server, to do inspection on the
protocol before it is passed to the real server. This
is for later, however.

>
> ssh uses a tty (pty?), but normally you have some in a jail. How do
> you start the jail? There should be devfs mounted in the jail.
>

I'm using a jail created with ezjail from ports. The
jail has both a devfs and fdescfs mounted inside (it uses
the standard jail devfs rules). The ezjail documentation
suggests that it uses the standard /etc/rc.d/jail script
to start jails, a quick look at the source seems to
confirm it.

I'm not entirely sure why programs are attempting to read
directly from /dev/tty. I have not changed any settings from
the defaults.

ssh and ssh-keygen would both attempt to open /dev/tty
when prompting for passwords. I fixed this by disabling
PasswordAuthentication in /etc/ssh/ssh_config and by
specifying passphrases to ssh-keygen on the command line
(a bad idea, but I'm the only user on this machine anyway).

thanks,
MC