[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: jail(2) support to OpenLDAP



Thanks for the contribution.  A few comments...

I wonder if builtin support for jail(2) is generally useful or
not.  My thoughts are that admins should generally use jail(8)
as discussed in the jail(8) manual page.

The only reason I could see for having builtin jail(2)
support is the same reason we have builtin chroot(2) support,
ldapi://.  The Unix domain socket is opened before the chroot(2)
call and, in your patch, before the jail(2) call.

But I note placement of the jail(2) call in your patch
means that the all listeners, including TCP/IP ones, are
opened before the jail(2) call.  This likely will lead
to unexpected behavior where the listener is not allowed
in the jail.  Of course, if you move the jail(2) call before
the listener startup, you'd have removed the only reason
for integrating the jail(2) support.

While we could redesign the listener startup to separately
start UNIX from TCP listeners, allowing the jail(2) call
to be properly placed, I am not sure its worth it.
jail(2) is best thought of as a virtual hosting
mechanism.

Now a few patch specific issues:

why do you call chroot(2) after calling jail(2).  This
seems, at best, extraneous.  jail(2) calls chroot(2)
internally.

I would suggest combining the jail arguments 
        slapd -J host:IP:/path
so as to avoid consuming multiple flags.




At 11:48 AM 1/15/2006, Oni (Paolo Meschi) wrote:
>I wrote a patch that add the BSD jail(2) support to slapd(8), you can
>find it at this address:
>
>http://www.paolomeschi.com/patches/openldap/openldap-jail.patch
>
>Any comments would be appreciated,
>
>Paolo.
>
>(A copy of this mail has been sent to the OpenLDAP ITS as software enhancement)
>
>I attach down here a copy of the patch:
>----------------------------------------------------------------------------------------------------------------
>
>        Copyright 2006 Paolo Meschi <paolo.meschi@gmail.com>
>
>        Redistribution and use in source and binary forms, with or
>        without modification, are permitted only as authorized by
>        the OpenLDAP Public License.
>
>diff -rNu openldap/configure openldap-jail-patch/configure
>--- openldap/configure  2006-01-10 04:07:51.000000000 +0100
>+++ openldap-jail-patch/configure       2006-01-15 19:16:12.000000000 +0100
>@@ -43391,6 +43391,7 @@
>        gettimeofday    \
>        initgroups              \
>        inet_ntoa_b             \
>+       jail                    \
>        lockf                   \
>        memcpy                  \
>        memmove                 \
>diff -rNu openldap/configure.in openldap-jail-patch/configure.in
>--- openldap/configure.in       2006-01-10 04:07:58.000000000 +0100
>+++ openldap-jail-patch/configure.in    2006-01-15 19:15:19.000000000 +0100
>@@ -2572,6 +2572,7 @@
>        gettimeofday    \
>        initgroups              \
>        inet_ntoa_b             \
>+       jail                    \
>        lockf                   \
>        memcpy                  \
>        memmove                 \
>diff -rNu openldap/include/portable.hin openldap-jail-patch/include/portable.hin
>--- openldap/include/portable.hin       2006-01-10 04:07:58.000000000 +0100
>+++ openldap-jail-patch/include/portable.hin    2006-01-15 19:40:28.000000000 +0100
>@@ -298,6 +298,9 @@
> /* Define to 1 if you have the <io.h> header file. */
> #undef HAVE_IO_H
>
>+/* Define to 1 if you have the `jail' function. */
>+#undef HAVE_JAIL
>+
> /* define if you have Kerberos */
> #undef HAVE_KERBEROS
>
>diff -rNu openldap/servers/slapd/main.c openldap-jail-patch/servers/slapd/main.c
>--- openldap/servers/slapd/main.c       2006-01-03 23:12:14.000000000 +0100
>+++ openldap-jail-patch/servers/slapd/main.c    2006-01-15 19:13:57.000000000 +0100
>@@ -39,6 +39,10 @@
> #include "lutil.h"
> #include "ldif.h"
>
>+#ifdef HAVE_JAIL
>+#include <sys/jail.h>
>+#endif
>+
> #ifdef LDAP_SLAPI
> #include "slapi/slapi.h"
> #endif
>@@ -291,6 +295,11 @@
>                "\t-g group\tGroup (id or name) to run as\n"
> #endif
>                "\t-h URLs\t\tList of URLs to serve\n"
>+#ifdef HAVE_JAIL
>+               "\t-H hostname\tHostname to jail to\n"
>+               "\t-i IP\t\tIP address to jail to\n"
>+               "\t-j directory\tSandbox directory to jail to\n"
>+#endif
> #ifdef LOG_LOCAL4
>                "\t-l facility\tSyslog facility (default: LOCAL4)\n"
> #endif
>@@ -334,6 +343,9 @@
> #if defined(HAVE_CHROOT)
>        char *sandbox = NULL;
> #endif
>+#ifdef HAVE_JAIL
>+       struct jail j = { 0, NULL, NULL, 0 };
>+#endif
> #ifdef LOG_LOCAL4
>        int syslogUser = DEFAULT_SYSLOG_USER;
> #endif
>@@ -429,6 +441,9 @@
> #ifdef HAVE_CHROOT
>                                "r:"
> #endif
>+#ifdef HAVE_JAIL
>+                               "i:j:H:"
>+#endif
> #ifdef LDAP_SYSLOG
>                                "S:"
> #endif
>@@ -569,6 +584,25 @@
>                        break;
> #endif
>
>+#ifdef HAVE_JAIL
>+               case 'j':
>+                       if( j.path ) free( j.path );
>+                       j.path = ch_strdup( optarg );
>+                       break;
>+               case 'i':
>+                       if( ( j.ip_number = ntohl( inet_addr( optarg ) ) )  ==  INADDR_NONE ) {
>+                               fprintf( stderr, "invalid ip\n" );
>+                               usage( argv[0] );
>+                               rc = 1;
>+                               goto stop;
>+                       }
>+                       break;
>+               case 'H':
>+                       if( j.hostname ) free( j.hostname );
>+                       j.hostname = ch_strdup( optarg );
>+                       break;
>+#endif
>+
> #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
>                case 'u':       /* user name */
>                        if( username ) free(username);
>@@ -665,6 +699,46 @@
>                goto stop;
>        }
>
>+#if defined(HAVE_JAIL)
>+       if ( j.hostname && j.path && ( j.ip_number != 0 ) ) {
>+#if defined(HAVE_CHROOT)
>+               if( sandbox ) {
>+                       fprintf( stderr, "can't both chroot and jail\n" );
>+                       rc = 1;
>+                       goto stop;
>+               }
>+#endif /* HAVE_CHROOT */
>+               if( chdir( j.path ) ) {
>+                       perror("chdir");
>+                       rc = 1;
>+                       goto stop;
>+               }
>+               j.version = 0;
>+               if( jail( &j ) == -1 ) {
>+                       fprintf( stderr, "jail failed\n" );
>+                       perror("jail");
>+                       rc = 1;
>+                       goto stop;
>+               }
>+               if( chroot( "/" ) ) {
>+                       fprintf( stderr, "can't chroot to \"/\" after jail\n" );
>+                       perror("chroot");
>+                       rc = 1;
>+                       goto stop;
>+               }
>+       } else if( j.hostname || j.path || ( j.ip_number != 0 ) ) {
>+               if( !j.hostname )
>+                       fprintf( stderr, "missing jail hostname\n" );
>+               if( !j.path )
>+                       fprintf( stderr, "missing jail path\n" );
>+               if( j.ip_number == 0 )
>+                       fprintf( stderr, "missing jail ip number\n" );
>+               usage( argv[0] );
>+               rc = 1;
>+               goto stop;
>+       }
>+#endif
>+
> #if defined(HAVE_CHROOT)
>        if ( sandbox ) {
>                if ( chdir( sandbox ) ) {