jail exec.clean busted in 12?

From: Michael W. Lucas <mwlucas_at_michaelwlucas.com>
Date: Tue, 11 Sep 2018 15:58:02 -0400
Hi,

storm~;uname -a
FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep  6 12:29:00 EDT 2018     root_at_storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

It appears that exec.clean is busted. Here's my jail.conf:

---

$j="/jail";
path="$j/$name";
host.hostname="$name.mwl.io";

mount.devfs;
exec.clean=0;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";

loghost {
  ip4.addr="203.0.113.231";
  allow.raw_sockets=1;
  jid=99;
}

logdb {
  host.hostname="logdb.mwl.io";
  ip4.addr="203.0.113.232";
  }

---

exec.clean is not explicitly defined on the command line, but it's the
default, so it maybe shouldn't be?

storm~;jls -n
devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 host.hostname=logdb.mwl.io host.hostuuid=00000000-0000-0000-0000-000000000000 ip4.addr=203.0.113.232 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144
devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 host.hostname=loghost.mwl.io host.hostuuid=00000000-0000-0000-0000-000000000000 ip4.addr=203.0.113.231 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144

Anyway, I found this by:

# jexec loghost env
HOME=/home/mwlucas
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin
TERM=xterm
LC_COLLATE=C
LANG=en_US.UTF-8
SSH_CLIENT=203.0.113.70 59076 22
SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
SSH_TTY=/dev/pts/2
SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
LC_CTYPE=en_US.ISO-8859-1
MAIL=/var/mail/root
...

I'm highly confident my SSH environment shouldn't be in the jail. Yes,
it goes away if I add -l, but my (admittedly sketchy) reading of the
jexec source says that jexec handles stripping the environment before
running the command.

Even if I start it the hard way (from a discussion at
https://github.com/iocage/iocage/issues/610)

storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist
storm~;jls
   JID  IP Address      Hostname                      Path
     9                  loghost                       /jail/loghost
     
storm~;jexec 9 env | grep -i ssh
SSH_CLIENT=203.0.113.70 59076 22
SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
SSH_TTY=/dev/pts/2
SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
storm~;

Any ideas?

Thanks,
==ml

-- 
Michael W. Lucas 	https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
Received on Tue Sep 11 2018 - 17:58:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:18 UTC