Commit Graph

74 Commits

Author SHA1 Message Date
delphij
65c65c74d4 Initialize lcap and pwd to NULL. This allows a WARNS=6 clean build,
hence bump it to 6.

Note that the last commit message was not quite accurate.  While the
assumption exists in the code, it's not possible to have an
uninitialized p there because if lflag is set when username is NULL
then execution would be terminated earlier.
2004-11-17 10:01:48 +00:00
delphij
0c3804bf65 The code path in main() dealing with lflag assumes that p was
initialized with NULL, while it is not.  So let's initialize
it.
2004-11-17 09:52:10 +00:00
stefanf
d00a4eaaea Pass an array of gid_t rather than an array of int to getgroups().
PR:	56646
2004-10-02 11:40:48 +00:00
maxim
4c83768639 o Add -l option to jail(8) similar to su(1): before running jail'ed
program under specific user's credentials, clean the environment and
set only a few variables.

PR:		bin/70024
Submitted by:	demon
MFC after:	1 month
2004-08-15 08:21:50 +00:00
ru
6294018a20 Mechanically kill hard sentence breaks. 2004-07-02 23:13:00 +00:00
pjd
bf8b1fec3a Prepare jail(8) utility for new functionality which will limit
seeing status of mounted file system for jailed processes.
Pass full path of jail's root directory to the kernel. mount(8) utility is
doing the same thing already.
2004-06-27 10:10:16 +00:00
ru
fbb5447570 Markup nits. 2004-06-05 20:27:10 +00:00
csjp
a4a53235be Sentences should not start with conjunctions. Change "Because"
to "Since".

Pointed out by:	Ceri
2004-06-01 20:32:44 +00:00
csjp
2a8b55a029 Add a warning note to security.jail.allow_raw_sockets
about the risks of enabling raw sockets in prisons.

Because raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties. As such, by default this option is disabled.

A few others and I are currently auditing the kernel
source code to ensure that the use of raw sockets by
privledged prison users is safe.

Approved by:	bmilekic (mentor)
2004-06-01 00:25:44 +00:00
maxim
872614c8b3 o Implement -U flag: run command as user which exists only in jail.
o getpwnam(3) returns NULL and does not set errno when the user does
  not exist.  Bail out with "no such user" instead of "Unknown error: 0".

PR:		bin/67262
Submitted by:	demon (-U flag)
MFC after:	3 weeks
2004-05-29 18:39:27 +00:00
dannyboy
6e5d1af09e Typos and nits. 2004-05-20 06:37:44 +00:00
pjd
8b1807b878 Document security.jail.getfsstatroot_only sysctl.
Obtained from:	rwatson's commit log
Approved by:	rwatson
2004-05-20 05:30:16 +00:00
simon
8cd95c1a2a mdoc(7) cleanup for the last commit to this file.
OK'ed by:	bmilekic
2004-05-04 14:39:32 +00:00
bmilekic
02ff3165ce Ammend jail(8) man page to explain new sysctl for raw-sockets
inside jails, Christian's last submission.

Submitted by: Christian S.J. Peron <maneo@bsdpro.com>
2004-05-03 21:12:23 +00:00
le
0aaa719b27 Correct typo. 2004-02-06 21:05:42 +00:00
rwatson
b7bf2a8dfd A variety of content cleanups:
(1) Document the notion of using jail(8) to run "virtual servers" or
    just to constrain specific applications.  If only running specific
    applications, some configuration steps are unnecessary (such as
    editing rc.conf).

(2) Add some more subsection headers to break up the bigger chunks of
    text.

(3) Clarify the problems associated with applications binding all IP
    addresses in the host, and attempt to be more specific about
    potential application problems.  Document how to force sshd to
    bind the the right socket.

(4) Suggest that in a jailed application scenario, you might want to
    have the host syslogd listen on the socket in the jail, rather
    than running syslogd in the jail.

(5) Catch another reference to /stand/sysinstall.

Approved by:	re (bmah implicitly)
2003-11-20 03:47:50 +00:00
rwatson
6b9c80ba7a No need to copy sysinstall into a jail with -CURRENT, since in
-CURRENT, we have /usr/sbin/sysinstall.

Approved by:	re (bmah implicitly)
2003-11-20 02:46:44 +00:00
kensmith
b7f1084c7b - Add a note that there are two MIB variables that have per-jail
settings.

Reviewed by:	rwatson
Approved by:	blackend (mentor)
2003-11-11 18:34:29 +00:00
charnier
01f9734fe0 add FBSDID 2003-07-06 12:44:11 +00:00
rwatson
0536901a65 When pointing users at mount_devfs to populate the /dev of a jail,
tell them that they also need to use devfs rules to prevent
inappropriate devices from appearing in the jail; add an Xref.  In
earlier versions of this man page, the user was instructed to use
sh MAKEDEV jail, which only created a minimal set of device nodes.
2003-06-26 19:04:15 +00:00
mike
82a28ce246 Force output of jail ID (if necessary) before excuting the command,
otherwise redirection of stdout to a file using block buffering will
not complete in time.
2003-04-21 17:20:48 +00:00
mike
6067525913 o Add jls(8) for listing active jails.
o Add jexec(8) to execute a command in an existing jail.
o Add -j option for killall(1) to kill all processes in a specified
  jail.
o Add -i option to jail(8) to output jail ID of newly created jail.
2003-04-09 03:04:12 +00:00
maxim
9b881ef3fc Free login_cap(3) resources after usage.
Submitted by:	demon
2003-04-07 10:16:37 +00:00
maxim
9ab2ed3bdb o Fix error messages formatting, style.
Prodded by:	bde
Reviewed by:	bde
2003-04-02 09:20:08 +00:00
maxim
723ed21bcb o Add -u <username> flag to jail(8): set user context before exec.
PR:		bin/44320
Submitted by:	Mike Matsnev <mike@po.cs.msu.su>
Reviewed by:	-current
MFC after:	6 weeks
2003-03-27 12:16:58 +00:00
maxim
ac2d1cc0c7 portmap_enable -> rpcbind_enable.
Spotted by:	Andrew Khlebutin <andreyh@perm.ru>
2003-03-18 14:01:02 +00:00
keramida
ac4f80b9ad Remove traces of MAKEDEV & add xref to mount_devfs(8).
DEVFS is now mandatory in CURRENT.

PR:		docs/48095
Submitted by:	Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
2003-02-28 22:47:18 +00:00
phk
5a6e603c6a Fix example, we do not need NO_MAKEDEV_RUN any more.
XXX: this example should be updated with a good example of devfs(8) rules.
2002-10-22 15:03:51 +00:00
charnier
d2168fe021 The .Nm utility 2002-07-14 14:47:15 +00:00
dd
3eafd11a94 Fix IP address typo.
PR:		38313
Submitted by:	Jeff Ito <jeffi@rcn.com>
2002-05-20 07:29:25 +00:00
des
4d6b787d2d Usage style sweep: spell "usage" with a small 'u'.
Also change one case of blatant __progname abuse (several more remain)
This commit does not touch anything in src/{contrib,crypto,gnu}/.
2002-04-22 13:44:47 +00:00
arr
1ae1e4e3f2 - Attempt to help declutter kern. sysctl by moving security out from
beneath it.

Reviewed by: rwatson
2002-01-16 06:55:30 +00:00
ru
9f316dd03a mdoc(7) police: ispell rev. 1.32. 2002-01-10 15:15:44 +00:00
ru
338a36ec96 mdoc(7) police: tidy up previous delta. 2002-01-10 15:14:22 +00:00
phk
cdb77be2ca Add some wisdom to the jail setup instructions. 2001-12-14 20:20:50 +00:00
ru
ff31678819 mdoc(7) police overhaul. 2001-12-14 10:18:15 +00:00
arr
a83ce1350e - Update the sysctl mibs in order to reflect the recent kern_jail.c
changes.

Approved by:	rwatson
Reviewed by:	rwatson
2001-12-12 05:24:50 +00:00
dd
581074f694 syslogd can now be configured to bind to a specific address. 2001-09-03 15:42:10 +00:00
dd
5faabe6e0b This is not jail(2), or anything else suitable to be referenced with .Fn. 2001-08-27 12:15:44 +00:00
obrien
9c97c8f02d Perform a major cleanup of the usr.sbin Makefiles.
These are not perfectly in agreement with each other style-wise, but they
are orders of orders of magnitude more consistent style-wise than before.
2001-07-20 06:20:32 +00:00
dd
911ca14c87 Remove whitespace at EOL. 2001-07-15 08:06:20 +00:00
ru
0d5f9334cf mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 15:12:08 +00:00
ru
b6359d6af6 mdoc(7) police: sort xrefs. 2001-07-05 08:13:03 +00:00
dd
fdda055e00 Set WARNS=2 on programs that compile cleanly with it; add $FreeBSD$
where necessary.

Submitted by:	Mike Barcroft <mike@q9media.com>
2001-06-30 05:39:36 +00:00
dd
2328ceabca Add missing includes and sort includes. 2001-06-24 20:28:19 +00:00
dd
e3cab8dc0c Include missing header files which define functions for which gcc has
builtints (e.g., exit, strcmp).
2001-06-24 20:25:23 +00:00
sobomax
6c2547ab1f Correct cross-reference:
portmap.8 --> rpcbind.8

Submitted by:	.Xr testing script
2001-06-07 16:59:19 +00:00
asmodai
3263ed06d8 Change NO_MAKEDEV to a finer granularity method:
NO_MAKEDEV_INSTALL and NO_MAKEDEV_RUN.  The former implying the latter.
The names imply what they do.  The last commit by DES based on a PR defeated
the original idea behind NO_MAKEDEV, which was not to run MAKEDEV, but to do
the installation of MAKEDEV.  This should satisfy both parties on the MAKEDEV
challenge.
Reflect this in the documentation.
2001-03-29 14:03:29 +00:00
ru
afd506414e - Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.
2001-03-26 14:42:20 +00:00
ru
f10dc9aca1 Set the default manual section for usr.sbin/ to 8. 2001-03-20 18:17:26 +00:00