your source for security, BSD, open source and programming.

Fleximus Blog

  

Let's learn how to execute commands in a jail by referring to the jail name instead of the jail number.

Suppose you have set up two jails, namely "mail" and "www". The first is to run your mailserver, the second to run your webserver in a secure jail environment. Each jail has its own parameters like name, hostname, ip, rootdir and so on: 

jailserver# grep jail /etc/rc.conf
jail_enable="YES"
jail_list="mail www"
jail_mail_name="mail"
jail_mail_hostname="mail.mydomain"
jail_mail_ip="192.168.0.11"
jail_mail_rootdir="/usr/jail/mail"
jail_mail_devfs_enable="YES"
jail_www_name="www"
jail_www_hostname="www.mydomain"
jail_www_ip="192.168.0.12"
jail_www_rootdir="/usr/jail/www"
jail_www_devfs_enable="YES"
jailserver#
The jails are started automatically during system startup. If you just configured the jails you want to start them immediately without to reboot: 
jailserver# service jail start
Configuring jails:.
Starting jails: mail.mydomain www.mydomain.
jailserver# jls
   JID  IP Address   Hostname         Path
     1  192.168.0.11 mail.mydomain    /usr/jail/mail
     2  192.168.0.12 www.mydomain     /usr/jail/www
jailserver#
Now two jails are running, having jail ids 1 and 2 assigned. Those numbers are assigned automatically. To jump into a jail simply execute a shell in it: 
jailserver# jexec 1 /bin/csh
mail# sysctl security.jail.jailed
security.jail.jailed: 1
mail# exit
jailserver#
What happens if you need to restart the jails and want to jump into one of them again? 
jailserver# service jail restart
Stopping jails: mail.mydomain www.mydomain.
Configuring jails:.
Starting jails: mail.mydomain www.mydomain.
jailserver# jls
   JID  IP Address   Hostname         Path
     3  192.168.0.11 mail.mydomain    /usr/jail/mail
     4  192.168.0.12 www.mydomain     /usr/jail/www
jailserver# jexec 1 /bin/csh
jexec: jail_attach(1): Invalid argument
jailserver#
I love shell history and use it quite often. But ooops, after the jail restart the JIDs are not the same as before. Let's try it by name. 
jailserver# jexec mail /bin/csh
jexec: jail "mail" not found
jailserver#
Why isn't the jail found? jexec(8) states The jexec utility executes command inside the jail identified by its jid or name. and we set it in rc.conf but it is still not working. The reason for that is, we set up the name for the startup scripts. jexec does not now about it. In jail(8) there is an option "-n" where you can set the jail name. That's what jexec looks up. So we need to setup /etc/rc.conf like this: 
jailserver# grep jail /etc/rc.conf
jail_enable="YES"
jail_list="mail www"
jail_mail_name="mail"
jail_mail_flags="-n mail"
jail_mail_hostname="mail.mydomain"
jail_mail_ip="192.168.0.11"
jail_mail_rootdir="/usr/jail/mail"
jail_mail_devfs_enable="YES"
jail_www_name="www"
jail_www_flags="-n www"
jail_www_hostname="www.mydomain"
jail_www_ip="192.168.0.12"
jail_www_rootdir="/usr/jail/www"
jail_www_devfs_enable="YES"
jailserver#
Let's restart the jails again and see if it's now properly working as we wish: 
jailserver# service jail restart
Stopping jails: mail.mydomain www.mydomain.
Configuring jails:.
Starting jails: mail.mydomain www.mydomain.
jailserver# jls
   JID  IP Address   Hostname         Path
     5  192.168.0.11 mail.mydomain    /usr/jail/mail
     6  192.168.0.12 www.mydomain     /usr/jail/www
jailserver# jexec mail /bin/csh
mail# exit
jailserver#
Okay, now we can use the jail name which will be constant without the need to lookup the jid first.

Final note: This has been tested with FreeBSD 8.2. jail(8) tells us that the option "-n" is deprecated and setting the name by parameter should be equivalent. So I expect that the option is removed in the next major releases and the name parameter must be used. Unfortunately I did not manage to configure the name parameter so I am only showing this method. ■

BSD