visudo non-functional in 7.0-RELEASE jail
Boris Samorodov
bsam at ipt.ru
Tue Jul 29 18:58:22 UTC 2008
On Tue, 29 Jul 2008 14:20:34 -0400 (EDT) Randy Schultz wrote:
> Been using jails for a while with 6.2 and 6.3. Today I'm working my first lab
> box with 7.0-RELEASE. Set everything up with ezjail, e.g. ezjail-admin
> create... Everything builds/installs fine, no barks. Sudo installed via make
> install in /usr/ports/security/sudo on both parent and jail after a portsnap
> update. The version of sudo works fine in the parent. In the jail however I
> always get:
> zincite# /usr/local/sbin/visudo
> visudo: /usr/local/etc/sudoers busy, try again later
> Sudoers is not busy. This is on a fresh jail that only I have access to,
> doing a visudo right after the make install finishes.
> My first thought was the jail dev/fs perms were somehow messed up but I can
> write to /usr/local/etc. In fact I can vi /usr/local/etc/sudoers and write it
> back out.
> I've checked the sysctl flags. They are the same as on a working 6.x
> parent(but I've included them here FWIW):
I'm not sure that this configuration (6.x parent and 7.x jail) is
supported. I think that just the opposite may (or should) work.
Just my imho though. I'll be glad to be wrong here...
> Root Dude ? sysctl -a|egrep jail
> security.jail.jailed: 0
> security.jail.mount_allowed: 0
> security.jail.chflags_allowed: 0
> security.jail.allow_raw_sockets: 0
> security.jail.enforce_statfs: 2
> security.jail.sysvipc_allowed: 0
> security.jail.socket_unixiproute_only: 1
> security.jail.set_hostname_allowed: 1
> Rc.conf has:
> ezjail_enable=YES
> jail_list="zincite"
> jail_zincite_rootdir=/usr/local/jails/zincite
> jail_zincite_hostname=zincite.earlham.edu
> jail_zincite_ip=159.28.83.137
> jail_zincite_interface=bge0
> #jail_zincite_fstab="/etc/zincite.fstab"
> jail_zincite_mount_enable="YES"
> jail_zincite_devfs_enable="YES"
> Fstab is pretty standard:
> Root Dude ? cat /etc/fstab.zincite
> /usr/local/jails/basejail /usr/local/jails/zincite/basejail nullfs ro 0 0
> The /usr/local/jails/zincite/etc/devfs.conf is non-tweaked
> zincite# ls -l /dev
> total 0
> dr-xr-xr-x 2 root wheel 512 Jul 29 16:23 fd
> lrwxr-xr-x 1 root wheel 14 Jul 29 16:23 log -> ../var/run/log
> crw-rw-rw- 1 root wheel 0, 6 Jul 29 17:33 null
> crw-rw-rw- 1 root wheel 0, 121 Jul 29 17:26 ptyp0
> crw-rw-rw- 1 root wheel 0, 123 Jul 29 17:38 ptyp1
> crw-rw-rw- 1 root wheel 0, 10 Jul 29 12:23 random
> lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stderr -> fd/2
> lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdin -> fd/0
> lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdout -> fd/1
> crw-rw-rw- 1 root wheel 0, 122 Jul 29 17:26 ttyp0
> crw--w---- 1 rj tty 0, 124 Jul 29 17:38 ttyp1
> lrwxr-xr-x 1 root wheel 6 Jul 29 16:23 urandom -> random
> crw-rw-rw- 1 root wheel 0, 7 Jul 29 16:23 zero
> and /usr/local/etc/ezjail/zincite contains:
> export jail_zincite_hostname="zincite"
> export jail_zincite_ip="159.28.83.137"
> export jail_zincite_rootdir="/usr/local/jails/zincite"
> export jail_zincite_exec="/bin/sh /etc/rc"
> export jail_zincite_mount_enable="YES"
> export jail_zincite_devfs_enable="YES"
> export jail_zincite_devfs_ruleset="devfsrules_jail"
> export jail_zincite_procfs_enable="YES"
> export jail_zincite_fdescfs_enable="YES"
> export jail_zincite_image=""
> export jail_zincite_imagetype=""
> export jail_zincite_attachparams=""
> export jail_zincite_attachblocking=""
> export jail_zincite_forceblocking=""
> I tried tracing visudo but that didn't give me much:
> ...
> 1293: open("/usr/local/etc/sudoers",O_RDWR|O_CREAT,0440) = 3 (0x3)
> 1293: fcntl(3,F_SETLK,0x7fffffffe390) ERR#22 'Invalid argument'
> visudo: 1293: write(2,"visudo: ",8) = 8 (0x8)
> /usr/local/etc/sudoers busy, try again later 1293:
> write(2,"/usr/local/etc/sudoers busy, try"...,44) = 44 (0x2c)
> 1293: write(2,"\n",1) = 1 (0x1)
> 1293: process exit, rval = 1
> I noted the invalid argument, thought busted port, but same thing works great
> on the parent.
> I'm running out of places to poke.
WBR
--
bsam
More information about the freebsd-jail
mailing list