Attachment 214377 Details for Bug 246371 – jail console listings with different chflags and securelevel settings

jail console listings with different chflags and securelevel settings

rsync_samba_acls.txt (text/plain), 5.18 KB, created by James B. Byrne on 2020-05-11 14:12:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: James B. Byrne

Created: 2020-05-11 14:12:23 UTC

Size: 5.18 KB

patch

obsolete

>
>
># iocage upgrade samba-03 -r 12.1-RELEASE
>Jail: samba-03 is already at version 12.1-RELEASE!
>
>[root@vhost04 ~ (master)]# iocage set allow_chflags="YES" samba-03
>[root@vhost04 ~ (master)]# iocage set securelevel="-1" samba-03
>
>[root@vhost04 ~ (master)]# iocage get all samba-03
>CONFIG_VERSION:27
>allow_chflags:1
>allow_mlock:0
>allow_mount:0
>allow_mount_devfs:0
>allow_mount_fusefs:0
>allow_mount_nullfs:0
>allow_mount_procfs:0
>allow_mount_tmpfs:1
>allow_mount_zfs:0
>allow_quotas:0
>allow_raw_sockets:1
>allow_set_hostname:1
>allow_socket_af:0
>allow_sysvipc:0
>allow_tun:0
>allow_vmm:0
>assign_localhost:1
>available:readonly
>basejail:0
>boot:0
>bpf:0
>children_max:0
>cloned_release:12.0-RELEASE-p12
>comment:none
>compression:lz4
>compressratio:readonly
>coredumpsize:off
>count:1
>cpuset:off
>cputime:off
>datasize:off
>dedup:off
>defaultrouter:auto
>defaultrouter6:auto
>depends:none
>devfs_ruleset:1003
>dhcp:0
>enforce_statfs:1
>exec_clean:1
>exec_created:/usr/bin/true
>exec_fib:0
>exec_jail_user:root
>exec_poststart:/usr/bin/true
>exec_poststop:/usr/bin/true
>exec_prestart:/usr/bin/true
>exec_prestop:/usr/bin/true
>exec_start:/bin/sh /etc/rc
>exec_stop:/bin/sh /etc/rc.shutdown
>exec_system_jail_user:0
>exec_system_user:root
>exec_timeout:60
>host_domainname:none
>host_hostname:samba-03.brockley-2016.harte-lyne.ca
>host_hostuuid:samba-03
>host_time:1
>hostid:b4cdc46c-7e7a-11de-87df-0011d8a408ed
>hostid_strict_check:0
>interfaces:vnet0:bridge0
>ip4:new
>ip4_addr:em0|192.168.8.67
>ip4_saddrsel:1
>ip6:new
>ip6_addr:none
>ip6_saddrsel:1
>ip_hostname:0
>jail_zfs:0
>jail_zfs_dataset:iocage/jails/samba-03/data
>jail_zfs_mountpoint:none
>last_started:2020-05-10 17:06:24
>localhost_ip:127.0.67.1
>login_flags:-f root
>mac_prefix:001cc0
>maxproc:off
>memorylocked:off
>memoryuse:off
>min_dyn_devfs_ruleset:1000
>mount_devfs:1
>mount_fdescfs:1
>mount_linprocfs:0
>mount_procfs:0
>mountpoint:readonly
>msgqqueued:off
>msgqsize:off
>nat:0
>nat_backend:ipfw
>nat_forwards:none
>nat_interface:none
>nat_prefix:172.16
>nmsgq:off
>notes:none
>nsem:off
>nsemop:off
>nshm:off
>nthr:off
>openfiles:off
>origin:readonly
>owner:root
>pcpu:off
>plugin_name:none
>plugin_repository:none
>priority:99
>pseudoterminals:off
>quota:none
>readbps:off
>readiops:off
>release:12.1-RELEASE-p3
>reservation:none
>resolver:search brockley-2016.harte-lyne.ca hamilton.harte-lyne.ca harte-lyne.ca;nameserver 216.185.71.33;nameserver 216.185.71.34;options edns0 timeout:5 attempts:3
>rlimits:off
>rtsold:0
>securelevel:-1
>shmsize:off
>stacksize:off
>state:up
>stop_timeout:30
>swapuse:off
>sync_state:none
>sync_target:none
>sync_tgt_zpool:none
>sysvmsg:new
>sysvsem:new
>sysvshm:new
>template:0
>type:jail
>used:readonly
>vmemoryuse:off
>vnet:0
>vnet0_mac:none
>vnet1_mac:none
>vnet2_mac:none
>vnet3_mac:none
>vnet_default_interface:auto
>vnet_interfaces:none
>wallclock:off
>writebps:off
>writeiops:off
>
>
>
>[root@vhost04 ~ (master)]# rsync -XAav --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol  /var/db/samba4
>!!Warning!! -	Any deliberate attempt to access this resource without
>                legitimate authorization is a criminal offence
>                (R.S.C. 1985, c. C-46 - Section 342.1).
>receiving file list ...
>recv_acl_index: ACL_TYPE_ACCESS ACL index 16 > 0
>rsync error: error in rsync protocol data stream (code 12) at acls.c(1119) [Receiver=3.1.3]
>
>
>These are the default values:
>
>[root@samba-03 ~]# sysctl -a | grep 'chflag\|securelevel'
>kern.securelevel: 2
>security.jail.param.allow.chflags: 0
>security.jail.param.securelevel: 0
>security.jail.chflags_allowed: 0
>
>
>[root@samba-03 ~]# rsync -XAav --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol  /var/db/samba4
>!!Warning!! -	Any deliberate attempt to access this resource without
>                legitimate authorization is a criminal offence
>                (R.S.C. 1985, c. C-46 - Section 342.1).
>receiving file list ...
>recv_acl_index: ACL_TYPE_ACCESS ACL index 16 > 0
>rsync error: error in rsync protocol data stream (code 12) at acls.c(1119) [Receiver=3.1.3]
>
>This is with only chflags allowed:
>
>[root@samba-03 ~]# sysctl -a | grep 'chflag\|securelevel'
>kern.securelevel: 2
>security.jail.param.allow.chflags: 0
>security.jail.param.securelevel: 0
>security.jail.chflags_allowed: 1
>
>[root@samba-03 ~]# rsync -XAav --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol  /var/db/samba4
>!!Warning!! -	Any deliberate attempt to access this resource without
>                legitimate authorization is a criminal offence
>                (R.S.C. 1985, c. C-46 - Section 342.1).
>receiving file list ...
>recv_acl_index: ACL_TYPE_ACCESS ACL index 16 > 0
>rsync error: error in rsync protocol data stream (code 12) at acls.c(1119) [Receiver=3.1.3]
>
>This is with both chflags allowed and securelevel 0
>
>[root@samba-03 ~]# sysctl -a | grep 'chflag\|securelevel'
>kern.securelevel: 0
>security.jail.param.allow.chflags: 0
>security.jail.param.securelevel: 0
>security.jail.chflags_allowed: 1
>
>[root@samba-03 ~]# rsync -XAav --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol  /var/db/samba4
>!!Warning!! -	Any deliberate attempt to access this resource without
>                legitimate authorization is a criminal offence
>                (R.S.C. 1985, c. C-46 - Section 342.1).
>receiving file list ...
>recv_acl_index: ACL_TYPE_ACCESS ACL index 16 > 0
>rsync error: error in rsync protocol data stream (code 12) at acls.c(1119) [Receiver=3.1.3]

Actions: View

Attachments on bug 246371: 214377