From mayres@jade.chc-chimes.com  Tue Jun 12 13:07:15 2001
Return-Path: <mayres@jade.chc-chimes.com>
Received: from webmail.chimesnet.com (mail001.level3.chc-chimes.com [63.211.16.2])
	by hub.freebsd.org (Postfix) with ESMTP id AA46737B407
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Jun 2001 13:07:14 -0700 (PDT)
	(envelope-from mayres@jade.chc-chimes.com)
Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6])
	by webmail.chimesnet.com (Postfix) with ESMTP
	id 218ECCAC515; Tue, 12 Jun 2001 16:07:08 -0400 (EDT)
Received: by jade.chc-chimes.com (Postfix, from userid 1101)
	id E7D341C8D; Tue, 12 Jun 2001 16:05:19 -0400 (EDT)
Message-Id: <20010612200519.E7D341C8D@jade.chc-chimes.com>
Date: Tue, 12 Jun 2001 16:05:19 -0400 (EDT)
From: mayres@chimesnet.com
Sender: mayres@jade.chc-chimes.com
Reply-To: mayres@chimesnet.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: mayres@chimesnet.com
Subject: ident not working under jail
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         28107
>Category:       misc
>Synopsis:       identd does not return usernames while running under a jail.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dwmalone
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 12 13:10:01 PDT 2001
>Closed-Date:    Sun Jun 24 05:18:41 PDT 2001
>Last-Modified:  Sun Jun 24 05:20:54 PDT 2001
>Originator:     
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
None 
>Environment:
System: FreeBSD solar.kindhosts.com 4.3-STABLE FreeBSD 4.3-STABLE #2: Mon Jun 11 22:08:39 EDT 2001     matta@solar.kindhosts.com:/usr/obj/usr/src/sys/DIS  i386

>Description:
While running under a jailed enviroment no ident servers will return a valid    
username.  Below is a connection to the hosts ident server and to the jails.    
The hosts inetd is set to only listen on the hosts ip address.  If inetd's 
internal auth is set to respond with a random string (-g) all works as wanted.

host:
telnet 64.156.64.2 113
Trying 64.156.64.2...
Connected to solar.kindhosts.com.
Escape character is '^]'.
113, 1258
113 , 1258 : USERID : UNKNOWN : root
Connection closed by foreign host.

jail:
telnet 64.156.64.12 113
Trying 64.156.64.12...
Connected to 64.156.64.12.
Escape character is '^]'.
113, 1259
113 , 1259 : ERROR : Operation not permitted
Connection closed by foreign host.

jail (auth w/ -g):
telnet 64.156.64.12 113
Trying 64.156.64.12...
Connected to 64.156.64.12.
Escape character is '^]'.
113, 1263
113 , 1263 : USERID : UNKNOWN : 6w1l60
Connection closed by foreign host.


>How-To-Repeat:
See above.

>Fix:

	
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Tue Jun 12 18:07:34 PDT 2001 
State-Changed-Why:  
That's a feature, not a bug. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28107 
Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Wed Jun 13 03:50:01 PDT 2001 
Responsible-Changed-Why:  
I'll have a look at this. 
.. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28107 
State-Changed-From-To: closed->open 
State-Changed-By: dwmalone 
State-Changed-When: Thu Jun 14 06:20:31 PDT 2001 
State-Changed-Why:  
DES and I have worked out a way of allowing ident in a jail using 
the socket's credentials and Robert Watson's u_cansee code. 

The (untested) patch below is intended to have the following 
semantics: 

1) A unjailed getcred caller can get the creds for any socket. 
2) A jailed getcred caller can only get the creds for a socket 
if that socket was created by a process in the same jail. 

I'll forward the patch to -audit with more details. 

David. 

--- tcp_subr.c.orig	Thu Jun 14 13:46:01 2001 
+++ tcp_subr.c	Thu Jun 14 13:52:24 2001 
@@ -880,7 +880,7 @@ 
struct inpcb *inp; 
int error, s; 

-	error = suser(req->p); 
+	error = suser_xxx(0, req->p, PRISON_ROOT); 
if (error) 
return (error); 
error = SYSCTL_IN(req, addrs, sizeof(addrs)); 
@@ -893,6 +893,9 @@ 
error = ENOENT; 
goto out; 
} 
+	error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); 
+	if (error) 
+		goto out; 
bzero(&xuc, sizeof(xuc)); 
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; 
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; 
@@ -916,7 +919,7 @@ 
struct inpcb *inp; 
int error, s, mapped = 0; 

-	error = suser(req->p); 
+	error = suser_xxx(0, req->p, PRISON_ROOT); 
if (error) 
return (error); 
error = SYSCTL_IN(req, addrs, sizeof(addrs)); 
@@ -945,6 +948,9 @@ 
error = ENOENT; 
goto out; 
} 
+	error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); 
+	if (error) 
+		goto out; 
bzero(&xuc, sizeof(xuc)); 
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; 
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28107 
State-Changed-From-To: open->closed 
State-Changed-By: dwmalone 
State-Changed-When: Sun Jun 24 05:18:41 PDT 2001 
State-Changed-Why:  
The getcred sysctl calls have been made work within jails in -current. 

Unfortunately merging this to -stable would involve a significant 
merging of Robert Watson's work on credentials which is probably 
too large a change for -stable. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28107 
>Unformatted:
