d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
481101b823
freebsd-dev/etc/rc.d/jail

435 lines
11 KiB
Plaintext
Raw Normal View History

o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: jail
"REQUIRE: cleanvar" for all RC's writing into /var/run.
2005-01-16 03:12:03 +00:00
# REQUIRE: LOGIN cleanvar
Move securelevel further back in the boot order. Approved by: markm (mentor)(implicit) Reviewed by: dougb
2003-05-05 15:38:41 +00:00
# BEFORE: securelevel
Remove the requirement for the FreeBSD keyword as it no longer makes any sense. Discussed with: dougb, brooks MFC after: 3 days
2004-10-07 13:55:26 +00:00
# KEYWORD: nojail shutdown
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
Add warning about this script dealing with untrusted data. MFC after: 1 week
2008-01-13 14:27:53 +00:00
# WARNING: This script deals with untrusted data (the data and
# processes inside the jails) and care must be taken when changing the
# code related to this! If you have any doubt whether a change is
# correct and have security impact, please get the patch reviewed by
# the FreeBSD Security Team prior to commit.
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
. /etc/rc.subr
name="jail"
rcvar=`set_rcvar`
start_cmd="jail_start"
stop_cmd="jail_stop"
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
# init_variables _j
# Initialize the various jail variables for jail _j.
#
init_variables()
{
_j="$1"
if [ -z "$_j" ]; then
warn "init_variables: you must specify a jail"
return
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
eval _rootdir=\"\$jail_${_j}_rootdir\"
_devdir="${_rootdir}/dev"
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
eval _ip=\"\$jail_${_j}_ip\"
Allow a jail's IP alias to be created with an arbitrary netmask. MFC after: 3 days
2008-09-24 15:18:27 +00:00
eval _netmask=\"\${jail_${_j}_netmask:-255.255.255.255}\"
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _exec=\"\$jail_${_j}_exec\"
eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\"
Add jail_<jname>_exec_afterstart<N> rc.conf variable, where <N> is 1,2 and so on. It specifies the command to be run as Nth after jail startup. sh(1)-fu by: Dario Freni PR: conf/97697 MFC after: 2 weeks Reviewed by: ru@ (man page)
2006-05-30 16:20:48 +00:00
i=1
while [ true ]; do
eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\"
Fix indentation.
2007-05-24 06:01:06 +00:00
[ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break
Add jail_<jname>_exec_afterstart<N> rc.conf variable, where <N> is 1,2 and so on. It specifies the command to be run as Nth after jail startup. sh(1)-fu by: Dario Freni PR: conf/97697 MFC after: 2 weeks Reviewed by: ru@ (man page)
2006-05-30 16:20:48 +00:00
i=$((i + 1))
done
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\"
if [ -n "${_exec}" ]; then
Improve the RC framework for the clean booting/shutdown of Jails: 1. Feature: for flexibility reasons and as a prerequisite to clean shutdowns, allow the configuration of a stop/shutdown command via rc.conf variable "jail_<name>_exec_stop" in addition to the start/boot command (rc.conf variable "jail_<name>_exec_start"). For backward compatibility reasons, rc.conf variable "jail_<name>_exec" is still supported, too. 2. Debug: Add the used boot/shutdown commands to the debug output of the /etc/rc.d/jail script, too. 3. Security: Run the Jail start/boot command in a cleaned environment to not leak information from the host to the Jail during startup. 4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on "/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail before its processes are just killed. 5. Bugfix: When killing the remaining Jail processes give the processes time to actually perform their termination sequence. Without this the subsequent umount(8) operations usually fail because the resources are still in use. Additionally, if after trying to TERM-inate the processes there are still processes hanging around, finally just KILL them. 6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/* scripts which are flagged with the KEYWORD "nojail" to allow the correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh /etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail. Now the following typical host-configuration for two Jails works as expected and correctly boots and shutdowns the Jails: ----------------------------------------------------------- # /etc/rc.conf: jail_enable="YES" jail_list="foo bar" jail_foo_rootdir="/j/foo" jail_foo_hostname="foo.example.com" jail_foo_ip="192.168.0.1" jail_foo_devfs_enable="YES" jail_foo_mount_enable="YES" jail_foo_exec_start="/bin/sh /etc/rc" jail_foo_exec_stop="/bin/sh /etc/rc.shutdown" jail_bar_rootdir="/j/bar" jail_bar_hostname="bar.example.com" jail_bar_ip="192.168.0.2" jail_bar_devfs_enable="YES" jail_bar_mount_enable="YES" jail_bar_exec_start="/path/to/kjailer -v" jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'" ----------------------------------------------------------- # /etc/fstab.foo /v/foo /j/foo/v/foo nullfs rw 0 0 ----------------------------------------------------------- # /etc/fstab.bar /v/bar /j/bar/v/bar nullfs rw 0 0 ----------------------------------------------------------- Reviewed by: freebsd-hackers MFC after: 2 weeks
2004-12-14 14:36:35 +00:00
# simple/backward-compatible execution
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
_exec_start="${_exec}"
_exec_stop=""
Improve the RC framework for the clean booting/shutdown of Jails: 1. Feature: for flexibility reasons and as a prerequisite to clean shutdowns, allow the configuration of a stop/shutdown command via rc.conf variable "jail_<name>_exec_stop" in addition to the start/boot command (rc.conf variable "jail_<name>_exec_start"). For backward compatibility reasons, rc.conf variable "jail_<name>_exec" is still supported, too. 2. Debug: Add the used boot/shutdown commands to the debug output of the /etc/rc.d/jail script, too. 3. Security: Run the Jail start/boot command in a cleaned environment to not leak information from the host to the Jail during startup. 4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on "/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail before its processes are just killed. 5. Bugfix: When killing the remaining Jail processes give the processes time to actually perform their termination sequence. Without this the subsequent umount(8) operations usually fail because the resources are still in use. Additionally, if after trying to TERM-inate the processes there are still processes hanging around, finally just KILL them. 6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/* scripts which are flagged with the KEYWORD "nojail" to allow the correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh /etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail. Now the following typical host-configuration for two Jails works as expected and correctly boots and shutdowns the Jails: ----------------------------------------------------------- # /etc/rc.conf: jail_enable="YES" jail_list="foo bar" jail_foo_rootdir="/j/foo" jail_foo_hostname="foo.example.com" jail_foo_ip="192.168.0.1" jail_foo_devfs_enable="YES" jail_foo_mount_enable="YES" jail_foo_exec_start="/bin/sh /etc/rc" jail_foo_exec_stop="/bin/sh /etc/rc.shutdown" jail_bar_rootdir="/j/bar" jail_bar_hostname="bar.example.com" jail_bar_ip="192.168.0.2" jail_bar_devfs_enable="YES" jail_bar_mount_enable="YES" jail_bar_exec_start="/path/to/kjailer -v" jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'" ----------------------------------------------------------- # /etc/fstab.foo /v/foo /j/foo/v/foo nullfs rw 0 0 ----------------------------------------------------------- # /etc/fstab.bar /v/bar /j/bar/v/bar nullfs rw 0 0 ----------------------------------------------------------- Reviewed by: freebsd-hackers MFC after: 2 weeks
2004-12-14 14:36:35 +00:00
else
# flexible execution
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -z "${_exec_start}" ]; then
_exec_start="/bin/sh /etc/rc"
if [ -z "${_exec_stop}" ]; then
_exec_stop="/bin/sh /etc/rc.shutdown"
Improve the RC framework for the clean booting/shutdown of Jails: 1. Feature: for flexibility reasons and as a prerequisite to clean shutdowns, allow the configuration of a stop/shutdown command via rc.conf variable "jail_<name>_exec_stop" in addition to the start/boot command (rc.conf variable "jail_<name>_exec_start"). For backward compatibility reasons, rc.conf variable "jail_<name>_exec" is still supported, too. 2. Debug: Add the used boot/shutdown commands to the debug output of the /etc/rc.d/jail script, too. 3. Security: Run the Jail start/boot command in a cleaned environment to not leak information from the host to the Jail during startup. 4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on "/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail before its processes are just killed. 5. Bugfix: When killing the remaining Jail processes give the processes time to actually perform their termination sequence. Without this the subsequent umount(8) operations usually fail because the resources are still in use. Additionally, if after trying to TERM-inate the processes there are still processes hanging around, finally just KILL them. 6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/* scripts which are flagged with the KEYWORD "nojail" to allow the correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh /etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail. Now the following typical host-configuration for two Jails works as expected and correctly boots and shutdowns the Jails: ----------------------------------------------------------- # /etc/rc.conf: jail_enable="YES" jail_list="foo bar" jail_foo_rootdir="/j/foo" jail_foo_hostname="foo.example.com" jail_foo_ip="192.168.0.1" jail_foo_devfs_enable="YES" jail_foo_mount_enable="YES" jail_foo_exec_start="/bin/sh /etc/rc" jail_foo_exec_stop="/bin/sh /etc/rc.shutdown" jail_bar_rootdir="/j/bar" jail_bar_hostname="bar.example.com" jail_bar_ip="192.168.0.2" jail_bar_devfs_enable="YES" jail_bar_mount_enable="YES" jail_bar_exec_start="/path/to/kjailer -v" jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'" ----------------------------------------------------------- # /etc/fstab.foo /v/foo /j/foo/v/foo nullfs rw 0 0 ----------------------------------------------------------- # /etc/fstab.bar /v/bar /j/bar/v/bar nullfs rw 0 0 ----------------------------------------------------------- Reviewed by: freebsd-hackers MFC after: 2 weeks
2004-12-14 14:36:35 +00:00
fi
fi
fi
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
# The default jail ruleset will be used by rc.subr if none is specified.
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
[ -z "${_devfs}" ] && _devfs="NO"
eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\"
[ -z "${_fdescfs}" ] && _fdescfs="NO"
eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\"
[ -z "${_procfs}" ] && _procfs="NO"
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\"
[ -z "${_mount}" ] && _mount="NO"
Implement per-jail fstab(5) files. Here's a rc.conf sample using this feature for a jail named foo : jail_foo_mount_enable="YES" jail_foo_fstab="/etc/fstab.foo" The second line is actually useless, since the code defaults to using "/etc/fstab.$jailname" as the fstab file if none is specified. MFC after: 3 days Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
2004-11-23 20:09:58 +00:00
# "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified.
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\"
[ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}"
eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\"
[ -z "${_flags}" ] && _flags="-l -U root"
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
[ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log"
Allow a jail to be started with a specific route fib. Reviewed by: secteam (simon) Reviewed by: brooks, bz
2008-09-16 20:18:25 +00:00
eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\"
Implement per-jail fstab(5) files. Here's a rc.conf sample using this feature for a jail named foo : jail_foo_mount_enable="YES" jail_foo_fstab="/etc/fstab.foo" The second line is actually useless, since the code defaults to using "/etc/fstab.$jailname" as the fstab file if none is specified. MFC after: 3 days Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
2004-11-23 20:09:58 +00:00
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
# Debugging aid
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
#
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
debug "$_j devfs enable: $_devfs"
debug "$_j fdescfs enable: $_fdescfs"
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
debug "$_j ip: $_ip"
Allow a jail's IP alias to be created with an arbitrary netmask. MFC after: 3 days
2008-09-24 15:18:27 +00:00
debug "$_j netmask: $_netmask"
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
debug "$_j interface: $_interface"
Allow a jail to be started with a specific route fib. Reviewed by: secteam (simon) Reviewed by: brooks, bz
2008-09-16 20:18:25 +00:00
debug "$_j fib: $_fib"
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
debug "$_j root: $_rootdir"
debug "$_j devdir: $_devdir"
debug "$_j fdescdir: $_fdescdir"
debug "$_j procdir: $_procdir"
debug "$_j ruleset: $_ruleset"
debug "$_j fstab: $_fstab"
debug "$_j exec start: $_exec_start"
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
debug "$_j consolelog: $_consolelog"
Add jail_<jname>_exec_afterstart<N> rc.conf variable, where <N> is 1,2 and so on. It specifies the command to be run as Nth after jail startup. sh(1)-fu by: Dario Freni PR: conf/97697 MFC after: 2 weeks Reviewed by: ru@ (man page)
2006-05-30 16:20:48 +00:00
i=1
while [ true ]; do
eval out=\"\${_exec_afterstart${i}:-''}\"
if [ -z "$out" ]; then
break;
fi
debug "$_j exec after start #${i}: ${out}"
i=$((i + 1))
done
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
debug "$_j exec stop: $_exec_stop"
debug "$_j flags: $_flags"
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
debug "$_j consolelog: $_consolelog"
- Check for some mandatory variables. Approved by: cperciva (mentor) MFC after: 1 week
2006-05-07 23:15:39 +00:00
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -z "${_hostname}" ]; then
- Check for some mandatory variables. Approved by: cperciva (mentor) MFC after: 1 week
2006-05-07 23:15:39 +00:00
err 3 "$name: No hostname has been defined for ${_j}"
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -z "${_rootdir}" ]; then
- Check for some mandatory variables. Approved by: cperciva (mentor) MFC after: 1 week
2006-05-07 23:15:39 +00:00
err 3 "$name: No root directory has been defined for ${_j}"
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -z "${_ip}" ]; then
- Check for some mandatory variables. Approved by: cperciva (mentor) MFC after: 1 week
2006-05-07 23:15:39 +00:00
err 3 "$name: No IP address has been defined for ${_j}"
fi
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
}
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
# set_sysctl rc_knob mib msg
# If the mib sysctl is set according to what rc_knob
# specifies, this function does nothing. However if
# rc_knob is set differently than mib, then the mib
# is set accordingly and msg is displayed followed by
# an '=" sign and the word 'YES' or 'NO'.
#
set_sysctl()
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
{
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
_knob="$1"
_mib="$2"
_msg="$3"
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
_current=`${SYSCTL} -n $_mib 2>/dev/null`
if checkyesno $_knob ; then
if [ "$_current" -ne 1 ]; then
echo -n " ${_msg}=YES"
${SYSCTL_W} 1>/dev/null ${_mib}=1
fi
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
else
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
if [ "$_current" -ne 0 ]; then
echo -n " ${_msg}=NO"
${SYSCTL_W} 1>/dev/null ${_mib}=0
fi
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
fi
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
}
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
# is_current_mountpoint()
# Is the directory mount point for a currently mounted file
# system?
#
is_current_mountpoint()
{
local _dir _dir2
_dir=$1
_dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'`
[ ! -d "${_dir}" ] && return 1
_dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'`
[ "${_dir}" = "${_dir2}" ]
return $?
}
# is_symlinked_mountpoint()
# Is a mount point, or any of its parent directories, a symlink?
#
is_symlinked_mountpoint()
{
local _dir
_dir=$1
[ -L "$_dir" ] && return 0
[ "$_dir" = "/" ] && return 1
is_symlinked_mountpoint `dirname $_dir`
return $?
}
# secure_umount
# Try to unmount a mount point without being vulnerable to
# symlink attacks.
#
secure_umount()
{
local _dir
_dir=$1
if is_current_mountpoint ${_dir}; then
umount -f ${_dir} >/dev/null 2>&1
else
debug "Nothing mounted on ${_dir} - not unmounting"
fi
}
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
# jail_umount_fs
# This function unmounts certain special filesystems in the
# currently selected jail. The caller must call the init_variables()
# routine before calling this one.
#
jail_umount_fs()
{
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
local _device _mountpt _rest
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _fdescfs; then
if [ -d "${_fdescdir}" ] ; then
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
secure_umount ${_fdescdir}
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
fi
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _devfs; then
if [ -d "${_devdir}" ] ; then
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
secure_umount ${_devdir}
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
fi
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _procfs; then
if [ -d "${_procdir}" ] ; then
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
secure_umount ${_procdir}
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
fi
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _mount; then
[ -f "${_fstab}" ] || warn "${_fstab} does not exist"
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
tail -r ${_fstab} | while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue
;;
esac
secure_umount ${_mountpt}
done
Implement per-jail fstab(5) files. Here's a rc.conf sample using this feature for a jail named foo : jail_foo_mount_enable="YES" jail_foo_fstab="/etc/fstab.foo" The second line is actually useless, since the code defaults to using "/etc/fstab.$jailname" as the fstab file if none is specified. MFC after: 3 days Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
2004-11-23 20:09:58 +00:00
fi
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
}
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
# jail_mount_fstab()
# Mount file systems from a per jail fstab while trying to
# secure against symlink attacks at the mount points.
#
# If we are certain we cannot secure against symlink attacks we
# do not mount all of the file systems (since we cannot just not
# mount the file system with the problematic mount point).
#
# The caller must call the init_variables() routine before
# calling this one.
#
jail_mount_fstab()
{
local _device _mountpt _rest
while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue
;;
esac
if is_symlinked_mountpoint ${_mountpt}; then
warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}"
return
fi
done <${_fstab}
mount -a -F "${_fstab}"
}
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
jail_start()
{
echo -n 'Configuring jails:'
set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \
set_hostname_allow
set_sysctl jail_socket_unixiproute_only \
security.jail.socket_unixiproute_only unixiproute_only
set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \
sysvipc_allow
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
echo '.'
Configure a jail sysctl value only if it is different than what the rc.conf(5) knob specifies. Also, correct a minor capitalization error.
2004-02-03 07:15:32 +00:00
echo -n 'Starting jails:'
Create temporary files safely. Submitted by: Jon Passki <cykyc@yahoo.com>
2004-08-16 16:37:06 +00:00
_tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \
err 3 "$name: Can't create temp dir, exiting..."
Remove trailing whitespace
2003-10-13 08:20:55 +00:00
for _jail in ${jail_list}
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
do
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
init_variables $_jail
Skip jails which are already running and inform why. We're checking for /var/run/jail_<name>.id file and if it exists, we don't start the jail. It should be also safe in case of reboot(8), because rc.d/cleanvar script is going to remove /var/run/jail_* files. It helps to avoid potential mess when the same jail is started twice, because of an administrator mistake (been there, done that). MFC after: 1 week
2005-08-07 23:19:02 +00:00
if [ -f /var/run/jail_${_jail}.id ]; then
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]"
Skip jails which are already running and inform why. We're checking for /var/run/jail_<name>.id file and if it exists, we don't start the jail. It should be also safe in case of reboot(8), because rc.d/cleanvar script is going to remove /var/run/jail_* files. It helps to avoid potential mess when the same jail is started twice, because of an administrator mistake (been there, done that). MFC after: 1 week
2005-08-07 23:19:02 +00:00
continue;
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -n "${_interface}" ]; then
Allow a jail's IP alias to be created with an arbitrary netmask. MFC after: 3 days
2008-09-24 15:18:27 +00:00
ifconfig ${_interface} alias ${_ip} netmask ${_netmask}
- Add following global jail options, used if no jail-specific options are set: * jail_mount_enable * jail_devfs_ruleset * jail_devfs_enable * jail_fdescfs_enable * jail_procfs_enable * jail_fstab * jail_flags - Add a jail_interface / jail_<jid>_interface option. An ip alias will be created (jail_<jid>_ip) on jail_interface or jail_<jid>_interface if set. This is not a mandatory option. - Document all missing jail_* options in rc.conf(5). Approved by: cperciva (mentor) MFC after: 2 weeks
2006-04-08 12:15:36 +00:00
fi
Allow a jail to be started with a specific route fib. Reviewed by: secteam (simon) Reviewed by: brooks, bz
2008-09-16 20:18:25 +00:00
if [ -n "${_fib}" ]; then
_setfib="setfib -F '${_fib}'"
else
_setfib=""
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _mount; then
info "Mounting fstab for jail ${_jail} (${_fstab})"
if [ ! -f "${_fstab}" ]; then
err 3 "$name: ${_fstab} does not exist"
Implement per-jail fstab(5) files. Here's a rc.conf sample using this feature for a jail named foo : jail_foo_mount_enable="YES" jail_foo_fstab="/etc/fstab.foo" The second line is actually useless, since the code defaults to using "/etc/fstab.$jailname" as the fstab file if none is specified. MFC after: 3 days Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
2004-11-23 20:09:58 +00:00
fi
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
jail_mount_fstab
Implement per-jail fstab(5) files. Here's a rc.conf sample using this feature for a jail named foo : jail_foo_mount_enable="YES" jail_foo_fstab="/etc/fstab.foo" The second line is actually useless, since the code defaults to using "/etc/fstab.$jailname" as the fstab file if none is specified. MFC after: 3 days Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
2004-11-23 20:09:58 +00:00
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _devfs; then
Do not unconditionally mount devfs to ${jail_devdir}/dev. First check to see if a prior devfs has been mounted. If no devfs is mounted on ${jail_devdir}/dev then proceed. This will prevent the stack up of multiple devfs mounts on the same mount point. Discussed with: pjd MFC after: 1 week
2005-04-30 00:16:00 +00:00
# If devfs is already mounted here, skip it.
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
df -t devfs "${_devdir}" >/dev/null
Do not unconditionally mount devfs to ${jail_devdir}/dev. First check to see if a prior devfs has been mounted. If no devfs is mounted on ${jail_devdir}/dev then proceed. This will prevent the stack up of multiple devfs mounts on the same mount point. Discussed with: pjd MFC after: 1 week
2005-04-30 00:16:00 +00:00
if [ $? -ne 0 ]; then
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
if is_symlinked_mountpoint ${_devdir}; then
warn "${_devdir} has symlink as parent - not starting jail ${_jail}"
continue
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
info "Mounting devfs on ${_devdir}"
devfs_mount_jail "${_devdir}" ${_ruleset}
Do not unconditionally mount devfs to ${jail_devdir}/dev. First check to see if a prior devfs has been mounted. If no devfs is mounted on ${jail_devdir}/dev then proceed. This will prevent the stack up of multiple devfs mounts on the same mount point. Discussed with: pjd MFC after: 1 week
2005-04-30 00:16:00 +00:00
# Transitional symlink for old binaries
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ ! -L "${_devdir}/log" ]; then
Do not unconditionally mount devfs to ${jail_devdir}/dev. First check to see if a prior devfs has been mounted. If no devfs is mounted on ${jail_devdir}/dev then proceed. This will prevent the stack up of multiple devfs mounts on the same mount point. Discussed with: pjd MFC after: 1 week
2005-04-30 00:16:00 +00:00
__pwd="`pwd`"
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
cd "${_devdir}"
Do not unconditionally mount devfs to ${jail_devdir}/dev. First check to see if a prior devfs has been mounted. If no devfs is mounted on ${jail_devdir}/dev then proceed. This will prevent the stack up of multiple devfs mounts on the same mount point. Discussed with: pjd MFC after: 1 week
2005-04-30 00:16:00 +00:00
ln -sf ../var/run/log log
cd "$__pwd"
fi
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
fi
o Rename devfs_link() to make_symlink() and turn it into a generic symlinking routine. o Modify rc.d/jail to create its own symlink relative to the jail's filesystem
2003-12-09 08:51:11 +00:00
# XXX - It seems symlinks don't work when there
# is a devfs(5) device of the same name.
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
# Jail console output
o Rename devfs_link() to make_symlink() and turn it into a generic symlinking routine. o Modify rc.d/jail to create its own symlink relative to the jail's filesystem
2003-12-09 08:51:11 +00:00
# __pwd="`pwd`"
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
# cd "${_devdir}"
o Rename devfs_link() to make_symlink() and turn it into a generic symlinking routine. o Modify rc.d/jail to create its own symlink relative to the jail's filesystem
2003-12-09 08:51:11 +00:00
# ln -sf ../var/log/console console
# cd "$__pwd"
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _fdescfs; then
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
if is_symlinked_mountpoint ${_fdescdir}; then
warn "${_fdescdir} has symlink as parent, not mounting"
else
info "Mounting fdescfs on ${_fdescdir}"
mount -t fdescfs fdesc "${_fdescdir}"
fi
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if checkyesno _procfs; then
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
if is_symlinked_mountpoint ${_procdir}; then
warn "${_procdir} has symlink as parent, not mounting"
else
info "Mounting procfs onto ${_procdir}"
if [ -d "${_procdir}" ] ; then
mount -t procfs proc "${_procdir}"
fi
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
fi
fi
Create temporary files safely. Submitted by: Jon Passki <cykyc@yahoo.com>
2004-08-16 16:37:06 +00:00
_tmp_jail=${_tmp_dir}/jail.$$
Allow a jail to be started with a specific route fib. Reviewed by: secteam (simon) Reviewed by: brooks, bz
2008-09-16 20:18:25 +00:00
eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
${_ip} ${_exec_start} > ${_tmp_jail} 2>&1
Add jail_<jname>_exec_afterstart<N> rc.conf variable, where <N> is 1,2 and so on. It specifies the command to be run as Nth after jail startup. sh(1)-fu by: Dario Freni PR: conf/97697 MFC after: 2 weeks Reviewed by: ru@ (man page)
2006-05-30 16:20:48 +00:00
style(9)
2006-05-30 16:07:59 +00:00
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
Add jail_<jname>_exec_afterstart<N> rc.conf variable, where <N> is 1,2 and so on. It specifies the command to be run as Nth after jail startup. sh(1)-fu by: Dario Freni PR: conf/97697 MFC after: 2 weeks Reviewed by: ru@ (man page)
2006-05-30 16:20:48 +00:00
i=1
while [ true ]; do
eval out=\"\${_exec_afterstart${i}:-''}\"
if [ -z "$out" ]; then
break;
fi
jexec "${_jail_id}" ${out}
i=$((i + 1))
done
echo -n " $_hostname"
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
tail +2 ${_tmp_jail} >${_consolelog}
style(9)
2006-05-30 16:07:59 +00:00
echo ${_jail_id} > /var/run/jail_${_jail}.id
else
jail_umount_fs
Jail_ip and jail_interface local variables were renamed to _ip and _interface in a previous commit to avoid namespace collisions, unfortunately I missed two of them. This leads to the ip alias being incorrectly removed in some cases when using the stop command. Reported by: Philipp Wuensche <cryx-freebsd@h3q.com>
2007-01-02 11:07:13 +00:00
if [ -n "${_interface}" ]; then
ifconfig ${_interface} -alias ${_ip}
if a jail fails to start, don't add its jid to /var/run and print a message with the error. PR: conf/97024 MFC after: 1 week
2006-05-09 17:50:16 +00:00
fi
style(9)
2006-05-30 16:07:59 +00:00
echo " cannot start jail \"${_jail}\": "
tail +2 ${_tmp_jail}
fi
Support starting/stoping of jails individually. This commit also removes the support for the sysutils/jailer port. This is inline with the general policy to keep ports related knobs out of the base system's configuration mechanism. Submitted by: Juergen Unger <j.unger@addict.de>
2004-02-02 13:25:28 +00:00
rm -f ${_tmp_jail}
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
done
Create temporary files safely. Submitted by: Jon Passki <cykyc@yahoo.com>
2004-08-16 16:37:06 +00:00
rmdir ${_tmp_dir}
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
echo '.'
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
}
jail_stop()
{
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
echo -n 'Stopping jails:'
Support starting/stoping of jails individually. This commit also removes the support for the sysutils/jailer port. This is inline with the general policy to keep ports related knobs out of the base system's configuration mechanism. Submitted by: Juergen Unger <j.unger@addict.de>
2004-02-02 13:25:28 +00:00
for _jail in ${jail_list}
do
Always quote variables in tests, to ensure correct evaluation even when they are empty or undefined. MFC after: 3 days
2004-08-19 08:55:24 +00:00
if [ -f "/var/run/jail_${_jail}.id" ]; then
Support starting/stoping of jails individually. This commit also removes the support for the sysutils/jailer port. This is inline with the general policy to keep ports related knobs out of the base system's configuration mechanism. Submitted by: Juergen Unger <j.unger@addict.de>
2004-02-02 13:25:28 +00:00
_jail_id=$(cat /var/run/jail_${_jail}.id)
Always quote variables in tests, to ensure correct evaluation even when they are empty or undefined. MFC after: 3 days
2004-08-19 08:55:24 +00:00
if [ ! -z "${_jail_id}" ]; then
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
init_variables $_jail
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -n "${_exec_stop}" ]; then
eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \
Fix jail rc.d script privilege escalation via symlink attack against /var/log/console.log and mount points. Security: FreeBSD-SA-07:01.jail
2007-01-11 18:18:57 +00:00
>> ${_consolelog} 2>&1
Improve the RC framework for the clean booting/shutdown of Jails: 1. Feature: for flexibility reasons and as a prerequisite to clean shutdowns, allow the configuration of a stop/shutdown command via rc.conf variable "jail_<name>_exec_stop" in addition to the start/boot command (rc.conf variable "jail_<name>_exec_start"). For backward compatibility reasons, rc.conf variable "jail_<name>_exec" is still supported, too. 2. Debug: Add the used boot/shutdown commands to the debug output of the /etc/rc.d/jail script, too. 3. Security: Run the Jail start/boot command in a cleaned environment to not leak information from the host to the Jail during startup. 4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on "/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail before its processes are just killed. 5. Bugfix: When killing the remaining Jail processes give the processes time to actually perform their termination sequence. Without this the subsequent umount(8) operations usually fail because the resources are still in use. Additionally, if after trying to TERM-inate the processes there are still processes hanging around, finally just KILL them. 6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/* scripts which are flagged with the KEYWORD "nojail" to allow the correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh /etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail. Now the following typical host-configuration for two Jails works as expected and correctly boots and shutdowns the Jails: ----------------------------------------------------------- # /etc/rc.conf: jail_enable="YES" jail_list="foo bar" jail_foo_rootdir="/j/foo" jail_foo_hostname="foo.example.com" jail_foo_ip="192.168.0.1" jail_foo_devfs_enable="YES" jail_foo_mount_enable="YES" jail_foo_exec_start="/bin/sh /etc/rc" jail_foo_exec_stop="/bin/sh /etc/rc.shutdown" jail_bar_rootdir="/j/bar" jail_bar_hostname="bar.example.com" jail_bar_ip="192.168.0.2" jail_bar_devfs_enable="YES" jail_bar_mount_enable="YES" jail_bar_exec_start="/path/to/kjailer -v" jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'" ----------------------------------------------------------- # /etc/fstab.foo /v/foo /j/foo/v/foo nullfs rw 0 0 ----------------------------------------------------------- # /etc/fstab.bar /v/bar /j/bar/v/bar nullfs rw 0 0 ----------------------------------------------------------- Reviewed by: freebsd-hackers MFC after: 2 weeks
2004-12-14 14:36:35 +00:00
fi
Support starting/stoping of jails individually. This commit also removes the support for the sysutils/jailer port. This is inline with the general policy to keep ports related knobs out of the base system's configuration mechanism. Submitted by: Juergen Unger <j.unger@addict.de>
2004-02-02 13:25:28 +00:00
killall -j ${_jail_id} -TERM > /dev/null 2>&1
Improve the RC framework for the clean booting/shutdown of Jails: 1. Feature: for flexibility reasons and as a prerequisite to clean shutdowns, allow the configuration of a stop/shutdown command via rc.conf variable "jail_<name>_exec_stop" in addition to the start/boot command (rc.conf variable "jail_<name>_exec_start"). For backward compatibility reasons, rc.conf variable "jail_<name>_exec" is still supported, too. 2. Debug: Add the used boot/shutdown commands to the debug output of the /etc/rc.d/jail script, too. 3. Security: Run the Jail start/boot command in a cleaned environment to not leak information from the host to the Jail during startup. 4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on "/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail before its processes are just killed. 5. Bugfix: When killing the remaining Jail processes give the processes time to actually perform their termination sequence. Without this the subsequent umount(8) operations usually fail because the resources are still in use. Additionally, if after trying to TERM-inate the processes there are still processes hanging around, finally just KILL them. 6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/* scripts which are flagged with the KEYWORD "nojail" to allow the correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh /etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail. Now the following typical host-configuration for two Jails works as expected and correctly boots and shutdowns the Jails: ----------------------------------------------------------- # /etc/rc.conf: jail_enable="YES" jail_list="foo bar" jail_foo_rootdir="/j/foo" jail_foo_hostname="foo.example.com" jail_foo_ip="192.168.0.1" jail_foo_devfs_enable="YES" jail_foo_mount_enable="YES" jail_foo_exec_start="/bin/sh /etc/rc" jail_foo_exec_stop="/bin/sh /etc/rc.shutdown" jail_bar_rootdir="/j/bar" jail_bar_hostname="bar.example.com" jail_bar_ip="192.168.0.2" jail_bar_devfs_enable="YES" jail_bar_mount_enable="YES" jail_bar_exec_start="/path/to/kjailer -v" jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'" ----------------------------------------------------------- # /etc/fstab.foo /v/foo /j/foo/v/foo nullfs rw 0 0 ----------------------------------------------------------- # /etc/fstab.bar /v/bar /j/bar/v/bar nullfs rw 0 0 ----------------------------------------------------------- Reviewed by: freebsd-hackers MFC after: 2 weeks
2004-12-14 14:36:35 +00:00
sleep 1
killall -j ${_jail_id} -KILL > /dev/null 2>&1
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
jail_umount_fs
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
echo -n " $_hostname"
Support starting/stoping of jails individually. This commit also removes the support for the sysutils/jailer port. This is inline with the general policy to keep ports related knobs out of the base system's configuration mechanism. Submitted by: Juergen Unger <j.unger@addict.de>
2004-02-02 13:25:28 +00:00
fi
- Change the "jail_" prefix for internal script variables. This fixes an issue where some global jail_* variables were overriden in the script. [1] - Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a jail id. [1] - Update examples and comments in defaults/rc.conf to advertise new variables and the fact that some of the jail-specific variables may be made jail-global. [2] Reported by: pjd [1], clsung [2] Approved by: cperciva X-MFC after: i got sufficient testing from people using rc.d/jail
2006-05-11 14:23:43 +00:00
if [ -n "${_interface}" ]; then
ifconfig ${_interface} -alias ${_ip}
- Add following global jail options, used if no jail-specific options are set: * jail_mount_enable * jail_devfs_ruleset * jail_devfs_enable * jail_fdescfs_enable * jail_procfs_enable * jail_fstab * jail_flags - Add a jail_interface / jail_<jid>_interface option. An ip alias will be created (jail_<jid>_ip) on jail_interface or jail_<jid>_interface if set. This is not a mandatory option. - Document all missing jail_* options in rc.conf(5). Approved by: cperciva (mentor) MFC after: 2 weeks
2006-04-08 12:15:36 +00:00
fi
Support starting/stoping of jails individually. This commit also removes the support for the sysutils/jailer port. This is inline with the general policy to keep ports related knobs out of the base system's configuration mechanism. Submitted by: Juergen Unger <j.unger@addict.de>
2004-02-02 13:25:28 +00:00
rm /var/run/jail_${_jail}.id
else
if a jail fails to start, don't add its jid to /var/run and print a message with the error. PR: conf/97024 MFC after: 1 week
2006-05-09 17:50:16 +00:00
echo " cannot stop jail ${_jail}. No jail id in /var/run"
Enhance the jail start/stop script. o The following additional configuration attributes of a jail can be controlled from rc.conf: - mounting devfs(5) - mounting fdescfs(5) - mounting procfs(5) - custom devfs(8) ruleset If no ruleset is specified, the default jail ruleset is used. o The output of executing /etc/rc in the jail is now redirected to /dev/null. Instead, the hostname of the jail is echoed if the jail(8) command exited successfully. If the output is wanted it can probably be redirected to a file (/var/run/$jail maybe) instead of /dev/null. Submitted by: Scot W. Hetzel <hetzels@westbend.net> with modifications by Jens Rehsack <rehsack@liwing.de> and me.
2003-08-24 06:29:32 +00:00
fi
done
o Unbreak the individual jail starting patch that I broke when I committed it. Apologies to Juergen Unger <j.unger@addict.de>. o When stopping jails output the hostname of the jails that were stopped. o Refactor o Remove extraneous empty line o Correct spelling error
2004-02-03 12:59:30 +00:00
echo '.'
o Add a script to start jails on boot. o Hook it up to the build Approved by: markm (mentor) Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org> (modified) Prodded by: mike
2003-04-16 16:27:23 +00:00
}
load_rc_config $name
Allow to give more than one jail's name, eg.: # /etc/rc.d/jail start www mail MFC after: 3 days
2005-08-07 22:38:41 +00:00
cmd="$1"
if [ $# -gt 0 ]; then
shift
fi
Fix overriding jail_list from command line. MFC after: 3 days
2006-03-08 20:40:37 +00:00
if [ -n "$*" ]; then
jail_list="$*"
fi
Allow to give more than one jail's name, eg.: # /etc/rc.d/jail start www mail MFC after: 3 days
2005-08-07 22:38:41 +00:00
run_rc_command "${cmd}"
Reference in New Issue Copy Permalink