From G.Czaplinski@prioris.mini.pw.edu.pl  Sat Feb  8 12:08:38 2003
Return-Path: <G.Czaplinski@prioris.mini.pw.edu.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EFA1637B405
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  8 Feb 2003 12:08:37 -0800 (PST)
Received: from prioris.mini.pw.edu.pl (prioris.mini.pw.edu.pl [194.29.178.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 660E643F75
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  8 Feb 2003 12:08:37 -0800 (PST)
	(envelope-from G.Czaplinski@prioris.mini.pw.edu.pl)
Received: from localhost (localhost.mini.pw.edu.pl [127.0.0.1])
	by prioris.mini.pw.edu.pl (Postfix) with ESMTP id 217AD7D009
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  8 Feb 2003 21:08:35 +0100 (CET)
Received: by prioris.mini.pw.edu.pl (Postfix, from userid 1368)
	id C85C17CF1A; Sat,  8 Feb 2003 21:08:30 +0100 (CET)
Message-Id: <20030208200830.C85C17CF1A@prioris.mini.pw.edu.pl>
Date: Sat,  8 Feb 2003 21:08:30 +0100 (CET)
From: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
Reply-To: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Manual page for jail(8) does not mention mounting devfs under jail.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48095
>Category:       docs
>Synopsis:       Manual page for jail(8) does not mention mounting devfs under jail.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    keramida
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 08 12:10:07 PST 2003
>Closed-Date:    Fri Feb 28 15:49:45 PST 2003
>Last-Modified:  Wed Mar  5 12:30:06 PST 2003
>Originator:     Grzegorz Czaplinski
>Release:        FreeBSD 5.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD tahoe.acn.waw.pl 5.0-RELEASE FreeBSD 5.0-RELEASE #14: Thu Feb  6 00:03:53 CET 2003   rgregory@tahoe.acn.waw.pl:/usr/obj/usr/src/sys/TAHOE  i386


	
>Description:
	

	The manual for jail(8) does not mention anything about mounting devfs
	under jail's /dev.
	I created a jail for sshd daemon. While tring to ssh into the jail,
	ssh process hangs.

gregory  1161  0.0  0.7  2392 1932  p3  S+J   8:48PM   0:00.07 ssh 192.168.0.5
root     1162  0.0  0.9  5372 2360  ??  IJ    8:48PM   0:00.02 sshd: gregory [pr
iv] (sshd)
gregory  1165  0.0  0.9  5372 2404  ??  SJ    8:48PM   0:00.01 sshd: gregory@not
ty (sshd)

	Thre are no free ttys.

>How-To-Repeat:
	
	Create a jail environment according to jail(8) manual, start 
	jailed sshd.
	Try to log into the jail more than once.
>Fix:

	
	Add a comment about mounting devfs under jail's /dev.
	mount -t devfs devfs /pathtojail/dev

	Thanks to nick@garage.freebsd.pl for the hint.
>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@FreeBSD.org>
To: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
Cc: bug-followup@FreeBSD.org
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Sun, 9 Feb 2003 19:55:39 +0200

 On 2003-02-08 21:08, Grzegorz Czaplinski wrote:
 > The manual for jail(8) does not mention anything about mounting
 > devfs under jail's /dev.
 
 This is true, but mentioning devfs only is probably incomplete.  The
 proper way to handle this is to mention that
 
 # Jailed processes that need devices should have some sort of access
 # to /dev nodes when they are inside the jail, imho.  It is then up to
 # the administrator to choose how to implement this.  Either by
 # mounting devfs under the /jail/dev directory or by manually calling
 # MAKEDEV or mknod to create only those devices that are absolutely
 # necessary.
 
 Would a note like the above paragraph be ok?
 

From: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
To: Giorgos Keramidas <keramida@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Sun, 9 Feb 2003 22:27:44 +0100

 --pWyiEgJYm5f9v55/
 Content-Type: text/plain; charset=iso-8859-2
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Sun, Feb 09, 2003 at 07:55:39PM +0200, Giorgos Keramidas wrote:
 > On 2003-02-08 21:08, Grzegorz Czaplinski wrote:
 > > The manual for jail(8) does not mention anything about mounting
 > > devfs under jail's /dev.
 >=20
 > This is true, but mentioning devfs only is probably incomplete.  The
 > proper way to handle this is to mention that
 >=20
 > # Jailed processes that need devices should have some sort of access
 > # to /dev nodes when they are inside the jail, imho.  It is then up to
 > # the administrator to choose how to implement this.  Either by
 > # mounting devfs under the /jail/dev directory or by manually calling
 > # MAKEDEV or mknod to create only those devices that are absolutely
 > # necessary.
 >=20
 > Would a note like the above paragraph be ok?
 >=20
 
 I would put it that way:
 # Jailed processes that need devices should have some sort of access
 # to /dev nodes when they are inside the jail. Making device nodes with
 # MAKEDEV or mknod is not sufficient. To let devfs(5) allocate device
 # nodes in your jail transparently do:
 	mount -t devfs devfs /jail/dev
 
 That was not sufficient for me to make device nodes with MAKEDEV or
 mknod. I have tested it rather heavily.
 
 Thanks,
 	Grzegorz
 --
 Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
  Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F
 
 --pWyiEgJYm5f9v55/
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iEYEARECAAYFAj5Gx88ACgkQpw+idSSJRp+cdACgvXTmruyDzb4MHuj2F3TrWbxH
 8aMAn1gZUHZvp9CQTqYS6hyHM15JXHo4
 =8ebS
 -----END PGP SIGNATURE-----
 
 --pWyiEgJYm5f9v55/--

From: Giorgos Keramidas <keramida@freebsd.org>
To: bug-followup@freebsd.org
Cc: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Sun, 9 Feb 2003 23:36:26 +0200

 On 2003-02-09 22:27, Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl> wrote:
 > On Sun, Feb 09, 2003 at 07:55:39PM +0200, Giorgos Keramidas wrote:
 > > # Jailed processes that need devices should have some sort of access
 > > # to /dev nodes when they are inside the jail, imho.  It is then up to
 > > # the administrator to choose how to implement this.  Either by
 > > # mounting devfs under the /jail/dev directory or by manually calling
 > > # MAKEDEV or mknod to create only those devices that are absolutely
 > > # necessary.
 >
 > I would put it that way:
 > # Jailed processes that need devices should have some sort of access
 > # to /dev nodes when they are inside the jail. Making device nodes with
 > # MAKEDEV or mknod is not sufficient. To let devfs(5) allocate device
 > # nodes in your jail transparently do:
 > 	mount -t devfs devfs /jail/dev
 
 Hmm, odd.  Isn't mknod sufficient?  I have problems building world
 right now in my current machine at home, so I can't test this by
 creating a new jail, but how/why did mknod within the jail fail to
 work for you?
 
 - Giorgos
 

From: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Mon, 10 Feb 2003 10:53:12 +0100

 --FCuugMFkClbJLl1L
 Content-Type: text/plain; charset=iso-8859-2
 Content-Disposition: inline
 
 Looks like I did not send it to bug-followup@FreeBSD.org.
 Sorry.
 
 	Grzegorz 
 --
 Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
  Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F
 
 --FCuugMFkClbJLl1L
 Content-Type: message/rfc822
 Content-Disposition: inline
 
 Date: Sun, 9 Feb 2003 23:09:22 +0100
 From: Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 To: Giorgos Keramidas <keramida@freebsd.org>
 Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
 Message-ID: <20030209220922.GD35509@prioris.mini.pw.edu.pl>
 References: <20030208200830.C85C17CF1A@prioris.mini.pw.edu.pl> <20030209175539.GB30623@gothmog.gr> <20030209212743.GA35509@prioris.mini.pw.edu.pl> <20030209213626.GC51880@gothmog.gr>
 Mime-Version: 1.0
 Content-Type: multipart/signed; micalg=pgp-sha1;
 	protocol="application/pgp-signature"; boundary="2Z2K0IlrPCVsbNpk"
 Content-Disposition: inline
 In-Reply-To: <20030209213626.GC51880@gothmog.gr>
 User-Agent: Mutt/1.4i
 X-PGP: http://prioris.mini.pw.edu.pl/~gregory/pgp.txt
 
 
 --2Z2K0IlrPCVsbNpk
 Content-Type: text/plain; charset=iso-8859-2
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Sun, Feb 09, 2003 at 11:36:26PM +0200, Giorgos Keramidas wrote:
 > > > # Jailed processes that need devices should have some sort of access
 > > > # to /dev nodes when they are inside the jail, imho.  It is then up to
 > > > # the administrator to choose how to implement this.  Either by
 > > > # mounting devfs under the /jail/dev directory or by manually calling
 > > > # MAKEDEV or mknod to create only those devices that are absolutely
 > > > # necessary.
 > >
 > > I would put it that way:
 > > # Jailed processes that need devices should have some sort of access
 > > # to /dev nodes when they are inside the jail. Making device nodes with
 > > # MAKEDEV or mknod is not sufficient. To let devfs(5) allocate device
 > > # nodes in your jail transparently do:
 > > 	mount -t devfs devfs /jail/dev
 >=20
 > Hmm, odd.  Isn't mknod sufficient?  I have problems building world
 > right now in my current machine at home, so I can't test this by
 > creating a new jail, but how/why did mknod within the jail fail to
 > work for you?
 >=20
 > - Giorgos
 
 I can create device nodes with mknod, no problem. Look:
 tahoe# ls -l /jails/jail/dev/ttyp*           [/jails/jail/dev 10:53PM]
 crw-rw-rw-  1 root  wheel    5,   0 Feb  9 22:08 /jails/jail/dev/ttyp0
 crw-rw-rw-  1 root  wheel    5,   1 Feb  9 22:08 /jails/jail/dev/ttyp1
 crw-rw-rw-  1 root  wheel    5,   2 Feb  9 22:07 /jails/jail/dev/ttyp2
 crw-rw-rw-  1 root  wheel    5,   3 Feb  9 22:55 /jails/jail/dev/ttyp3
 crw-rw-rw-  1 root  wheel    5,   4 Feb  9 22:07 /jails/jail/dev/ttyp4
 crw-rw-rw-  1 root  wheel    5,   5 Feb  9 22:07 /jails/jail/dev/ttyp5
 crw-rw-rw-  1 root  wheel    5,   6 Feb  9 22:07 /jails/jail/dev/ttyp6
 crw-rw-rw-  1 root  wheel    5,   7 Feb  9 22:07 /jails/jail/dev/ttyp7
 crw-rw-rw-  1 root  wheel    5,   8 Feb  9 22:07 /jails/jail/dev/ttyp8
 crw-rw-rw-  1 root  wheel    5,   9 Feb  9 22:07 /jails/jail/dev/ttyp9
 
 devfs is not mounted under /jails/jail/dev/
 When I try to log into the jail for the third time the session hangs:
 
 gregory   991  0.0  0.7  2392 1932  p2  S+J  10:57PM   0:00.07 ssh=20
 192.168.0.5
 root      992  0.0  0.9  5372 2360  ??  SJ   10:57PM   0:00.02 sshd:=20
 gregory [priv] (sshd)
 gregory   995  0.0  0.9  5372 2404  ??  SJ   10:57PM   0:00.01 sshd:
 gregory@notty (sshd)
 
 After mounting devfs everything works correctly.
 
 That might be a problem at my side though.
 
 Cheers,
 	Grzegorz=20
 --
 Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
  Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F
 
 --2Z2K0IlrPCVsbNpk
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iEYEARECAAYFAj5G0YUACgkQpw+idSSJRp/p8ACfWRMh/8JDQTVBeG+nkAlLAwcU
 F7gAoL1ao+8FqjToruIUoQ1tOOhuvGtO
 =Qd6Z
 -----END PGP SIGNATURE-----
 
 --2Z2K0IlrPCVsbNpk--
 
 --FCuugMFkClbJLl1L--
Responsible-Changed-From-To: freebsd-doc->keramida 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Wed Feb 12 19:00:36 PST 2003 
Responsible-Changed-Why:  
I think I can handle this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48095 
State-Changed-From-To: open->patched 
State-Changed-By: keramida 
State-Changed-When: Fri Feb 28 14:48:15 PST 2003 
State-Changed-Why:  
I have removed the reference to MAKEDEV from -current. 
MAKEDEV is no longer supported in FreeBSD 5.X. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48095 
State-Changed-From-To: patched->closed 
State-Changed-By: keramida 
State-Changed-When: Fri Feb 28 15:48:10 PST 2003 
State-Changed-Why:  
On second thought, there is nothing to MFC here.  DEVFS works fine in current, but 
we don't need to change anything in RELENG_4 manpages. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48095 

From: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
To: Giorgos Keramidas <keramida@FreeBSD.org>
Cc: G.Czaplinski@prioris.mini.pw.edu.pl, bug-followup@FreeBSD.org
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Wed, 5 Mar 2003 19:15:52 +0100

 On Fri, Feb 28, 2003 at 03:49:45PM -0800, Giorgos Keramidas wrote:
 > Synopsis: Manual page for jail(8) does not mention mounting devfs under jail.
 > 
 > State-Changed-From-To: patched->closed
 > State-Changed-By: keramida
 > State-Changed-When: Fri Feb 28 15:48:10 PST 2003
 > State-Changed-Why: 
 > On second thought, there is nothing to MFC here.  DEVFS works fine in current, but
 > we don't need to change anything in RELENG_4 manpages.
 > 
 
 We don't have to, that is right.
 
 Cheers,
 	Grzegorz
 --
 Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
  Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F

From: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
To: Giorgos Keramidas <keramida@FreeBSD.org>
Cc: G.Czaplinski@prioris.mini.pw.edu.pl, bug-followup@FreeBSD.org
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Wed, 5 Mar 2003 19:18:29 +0100

 On Fri, Feb 28, 2003 at 02:49:32PM -0800, Giorgos Keramidas wrote:
 > Synopsis: Manual page for jail(8) does not mention mounting devfs under jail.
 > 
 > State-Changed-From-To: open->patched
 > State-Changed-By: keramida
 > State-Changed-When: Fri Feb 28 14:48:15 PST 2003
 > State-Changed-Why: 
 > I have removed the reference to MAKEDEV from -current.
 > MAKEDEV is no longer supported in FreeBSD 5.X.
 
 One question, did you add anything about mounting devfs under jail's
 dev?
 
 Thanks!
 	Grzegorz
 --
 Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
  Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F

From: Giorgos Keramidas <keramida@freebsd.org>
To: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
Cc: bug-followup@freebsd.org
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Wed, 5 Mar 2003 22:19:00 +0200

 On 2003-03-05 19:18, Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl> wrote:
 > On Fri, Feb 28, 2003 at 02:49:32PM -0800, Giorgos Keramidas wrote:
 > > State-Changed-From-To: open->patched
 > > State-Changed-By: keramida
 > > State-Changed-When: Fri Feb 28 14:48:15 PST 2003
 > > State-Changed-Why:
 > > I have removed the reference to MAKEDEV from -current.
 > > MAKEDEV is no longer supported in FreeBSD 5.X.
 >
 > One question, did you add anything about mounting devfs under jail's
 > dev?
 
 Yes.
 The new manpage uses the following as the sample jail command set:
 
      D=/here/is/the/jail
      cd /usr/src
      mkdir -p $D
      make world DESTDIR=$D
      cd etc
      make distribution DESTDIR=$D
      mount_devfs devfs $D/dev
      cd $D
      ln -sf dev/null kernel
 
 - Giorgos

From: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>,
	bug-followup@freebsd.org
Subject: Re: docs/48095: Manual page for jail(8) does not mention mounting devfs under jail.
Date: Wed, 5 Mar 2003 21:22:52 +0100

 --IuhbYIxU28t+Kd57
 Content-Type: text/plain; charset=iso-8859-2
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, Mar 05, 2003 at 10:19:00PM +0200, Giorgos Keramidas wrote:
 > > > State-Changed-From-To: open->patched
 > > > State-Changed-By: keramida
 > > > State-Changed-When: Fri Feb 28 14:48:15 PST 2003
 > > > State-Changed-Why:
 > > > I have removed the reference to MAKEDEV from -current.
 > > > MAKEDEV is no longer supported in FreeBSD 5.X.
 > >
 > > One question, did you add anything about mounting devfs under jail's
 > > dev?
 >=20
 > Yes.
 > The new manpage uses the following as the sample jail command set:
 >=20
 >      D=3D/here/is/the/jail
 >      cd /usr/src
 >      mkdir -p $D
 >      make world DESTDIR=3D$D
 >      cd etc
 >      make distribution DESTDIR=3D$D
 >      mount_devfs devfs $D/dev
 >      cd $D
 >      ln -sf dev/null kernel
 >=20
 > - Giorgos
 
 Hi!
 I just wanted to make sure.
 Thanks again Giorgos!
 
 Take care and all the best,
 			Grzegorz=20
 --
 Grzegorz Czaplinski <gregory@prioris.mini.pw.edu.pl>
 "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
  Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F
 
 --IuhbYIxU28t+Kd57
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iEYEARECAAYFAj5mXJsACgkQpw+idSSJRp8JnACfdVMaKEtsjIqtRp2Je1CT8ce6
 D7wAoIg+PcDCjKyCYS0uZyTsx/DEt/QU
 =mFjO
 -----END PGP SIGNATURE-----
 
 --IuhbYIxU28t+Kd57--
>Unformatted:
