security bug or operator "misunderstanding", and a query

[Randy Schultz]

On Wed, 15 Aug 2007, Bill Moran spaketh thusly:

-}In response to Randy Schultz <schulra at earlham.edu>:
-}
-}> Hey all,
-}> 
-}> I've been messing around with, and liking, jails.  I had a weird thing happen
-}> tho' that I cannot explain, and seems to violate the concept of jail.
-}> 
-}> I have the AMD64 version of fbsd 6.2 set up, default install(plus a few minor
-}> ports like sudo).  The jail setup is AFAIK standard, e.g. rc.conf has:
-}> 
-}>     jail_list="ntpjail"
-}> 
-}>     jail_ntpjail_rootdir=/usr/local/jails/jail1
-}>     jail_ntpjail_hostname=ntpjail.earlham.edu
-}>     jail_ntpjail_ip=192.168.1.59
-}>     jail_ntpjail_interface=bge1
-}>     jail_ntpjail_devfs_enable="YES"
-}> 
-}> The /dev dir is whatever is defined for jails in /etc/defaults/devfs.rules,
-}> and no tweaks are in sysctl.conf.
-}> 
-}> When I have the parent/jail up and running, ntpd not running on the parent, if
-}> I kick off ntpd in the jail, it actually kicks off ntpd in the parent then
-}> barks with "address already in use".
-}
-}By design, a jail can not start a process on the host.  If you are actually
-}able to demonstrate this behaviour, many would be interested because it
-}would constitute a serious bug.

Yup, you're right.

Today I took some time to more slowly go through the steps.  What I missed
before was the "J" in the state field of the ps command, signifying the jailed
process.  

False alarm.  Sorry 'bout that.

--
 Randy    (schulra at earlham.edu)      765.983.1283         <*>

Love with your heart, think with your head;  not the other way around.