[hobbit] Issues with hobbitd loading

Don Munyak don.munyak at gmail.com
Tue Apr 10 15:28:56 CEST 2007


Thanks Henrik...

I read the link as well as the {prev} page from said link. And then
googled the author. OT: I can't beleive the author was in 9th grade
when he wrote the article. I am completely amazed and envious

http://www.samag.com/documents/s=1151/sam0105d/0105d.htm

...anyway

I made the change to the HOST sysctl.conf.

security.jail.sysvipc_allowed=1

Current sysctl.conf for HOST system

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0
# net.inet.tcp.blackhole=2
# net.inet.udp.blackhole=1
net.inet.ip.check_interface=1
net.inet.tcp.recvspace=32768
net.inet.tcp.sendspace=32768
net.inet.tcp.syncookies=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.icmp.icmplim=200
security.jail.sysvipc_allowed=1
security.jail.allow_raw_sockets=1
kern.ipc.shmmax=536870912

%sysctl -A -d |grep jail {listing human readable desc}
security.jail.set_hostname_allowed:Processes in jail can set their hostnames
security.jail.socket_unixiproute_only:Processes in jail are limited to
creating UNIX/IPv4/route sockets only
security.jail.sysvipc_allowed:Processes in jail can use System V IPC primitives
security.jail.enforce_statfs:Processes in jail cannot see all mounted
file systems
security.jail.allow_raw_sockets:Prison root can create raw sockets
security.jail.chflags_allowed:Processes in jail can alter system file flags
security.jail.list:List of active jails
security.jail.jailed:Process in jail?

%sysctl -A | grep jail
security.jail.set_hostname_allowed:1
security.jail.socket_unixiproute_only:1
security.jail.sysvipc_allowed:1
security.jail.enforce_statfs:2
security.jail.allow_raw_sockets:1
security.jail.chflags_allowed:0
security.jail.list:Format:S Length:2584
Dump:0x01000000020000002f7573722f6a6169...
security.jail.jailed:0

----
hobbitd now loads and website appears functional. I haven't yet
configured any host systems.

----
Aside from the obvious "Processes in jail can use System V IPC
primitives", what does this mean in terms of security.
I understand that should a jail get hacked, the hacker can use system
V IPC primitives. How and to what extent?

Thanks so much for your help

Don



More information about the Xymon mailing list