Bug 28107

Summary: identd does not return usernames while running under a jail.
Product: Base System Reporter: mayres <mayres>
Component: miscAssignee: dwmalone
Status: Closed FIXED    
Severity: Affects Only Me CC: mayres
Priority: Normal    
Version: 4.3-STABLE   
Hardware: Any   
OS: Any   

Description mayres 2001-06-12 21:10:01 UTC 
While running under a jailed enviroment no ident servers will return a valid    
username.  Below is a connection to the hosts ident server and to the jails.    
The hosts inetd is set to only listen on the hosts ip address.  If inetd's 
internal auth is set to respond with a random string (-g) all works as wanted.

host:
telnet 64.156.64.2 113
Trying 64.156.64.2...
Connected to solar.kindhosts.com.
Escape character is '^]'.
113, 1258
113 , 1258 : USERID : UNKNOWN : root
Connection closed by foreign host.

jail:
telnet 64.156.64.12 113
Trying 64.156.64.12...
Connected to 64.156.64.12.
Escape character is '^]'.
113, 1259
113 , 1259 : ERROR : Operation not permitted
Connection closed by foreign host.

jail (auth w/ -g):
telnet 64.156.64.12 113
Trying 64.156.64.12...
Connected to 64.156.64.12.
Escape character is '^]'.
113, 1263
113 , 1263 : USERID : UNKNOWN : 6w1l60
Connection closed by foreign host.

How-To-Repeat: See above.
Comment 1 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2001-06-13 02:07:34 UTC 
State Changed
From-To: open->closed

That's a feature, not a bug.
Comment 2 dwmalone freebsd_committer freebsd_triage 2001-06-13 11:50:01 UTC 
Responsible Changed
From-To: freebsd-bugs->dwmalone

I'll have a look at this. 
..
Comment 3 dwmalone freebsd_committer freebsd_triage 2001-06-14 14:20:31 UTC 
State Changed
From-To: closed->open

DES and I have worked out a way of allowing ident in a jail using 
the socket's credentials and Robert Watson's u_cansee code. 

The (untested) patch below is intended to have the following 
semantics: 

1) A unjailed getcred caller can get the creds for any socket. 
2) A jailed getcred caller can only get the creds for a socket 
if that socket was created by a process in the same jail. 

I'll forward the patch to -audit with more details. 

David. 

--- tcp_subr.c.orig	Thu Jun 14 13:46:01 2001 
+++ tcp_subr.c	Thu Jun 14 13:52:24 2001 
@@ -880,7 +880,7 @@ 
struct inpcb *inp; 
int error, s; 

-	error = suser(req->p); 
+	error = suser_xxx(0, req->p, PRISON_ROOT); 
if (error) 
return (error); 
error = SYSCTL_IN(req, addrs, sizeof(addrs)); 
@@ -893,6 +893,9 @@ 
error = ENOENT; 
goto out; 
} 
+	error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); 
+	if (error) 
+		goto out; 
bzero(&xuc, sizeof(xuc)); 
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; 
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; 
@@ -916,7 +919,7 @@ 
struct inpcb *inp; 
int error, s, mapped = 0; 

-	error = suser(req->p); 
+	error = suser_xxx(0, req->p, PRISON_ROOT); 
if (error) 
return (error); 
error = SYSCTL_IN(req, addrs, sizeof(addrs)); 
@@ -945,6 +948,9 @@ 
error = ENOENT; 
goto out; 
} 
+	error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); 
+	if (error) 
+		goto out; 
bzero(&xuc, sizeof(xuc)); 
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; 
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
Comment 4 dwmalone freebsd_committer freebsd_triage 2001-06-24 13:18:41 UTC 
State Changed
From-To: open->closed

The getcred sysctl calls have been made work within jails in -current. 

Unfortunately merging this to -stable would involve a significant 
merging of Robert Watson's work on credentials which is probably 
too large a change for -stable.