Jailed X applications

Alexander Leidinger Alexander at Leidinger.net
Mon Aug 20 01:14:56 PDT 2007 

Quoting mal content <artifact.one at googlemail.com> (from Fri, 17 Aug  
2007 17:00:00 +0100):

> On 17/08/07, Alexander Leidinger <Alexander at leidinger.net> wrote:
>> Quoting mal content <artifact.one at googlemail.com> (from Fri, 17 Aug

>> > Has anyone here ever successfully set up a jail for X apps, connecting
>> > to an external X server? I'm trying an experimental sandbox setup here.
>>
>> I have my X server itself in a jail (needs a kernel patch and some
>> devfs rules), and in the past connected to a jail and started a X11
>> programm there... IIRC.
>
> I think you may misunderstand me. In this setup, my X
> server is actually running on my host, outside of any
> jail. I intend for programs running inside the jail
> to connect to the X server with TCP/IP:

I haven't misunderstood you. I just explained that I even have a more  
restrictive configuration running.

>   ssh -N -L 6000:hostip:6000 x at hostip &
>   xterm -display 127.0.0.1:6000

ssh itself opens an X11 tunnel for you if you use -X (xauth has to be  
present on ... both(?) hosts), it also sets the DISPLAY variable. So  
maybe
    ssh -f -X x at hostip xterm &
would be a better idea.

You command maybe misses the -g for ssh, or alternatively use -R  
instead of -L. -T disables the allocation of a pseudoi-tty, but this  
should not be necessary, try all the other possibilities first (you  
can use -v to get some more information what ssh does).

> The intention is to also place some sort of custom X
> proxy before the actual server, to do inspection on the
> protocol before it is passed to the real server. This
> is for later, however.

Should be possible even with the built-in X-tunnel (just give the  
value of the ssh DISPLAY to the proxy).

>> ssh uses a tty (pty?), but normally you have some in a jail. How do
>> you start the jail? There should be devfs mounted in the jail.
>>
>
> I'm using a jail created with ezjail from ports. The
> jail has both a devfs and fdescfs mounted inside (it uses
> the standard jail devfs rules). The ezjail documentation
> suggests that it uses the standard /etc/rc.d/jail script
> to start jails, a quick look at the source seems to
> confirm it.

I use ezjail myself, so this is most probably not the problem.

Bye,
Alexander.

-- 
God isn't dead, he just couldn't find a parking place.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-jail mailing list