1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
.. description: is a tool for the FreeBSD operating system to allow flexible and secure communication from jail environments to the host system.
.. tags: project
.. date: 2015/02/18 19:10:08
.. title: jaildaemon
.. subtitle: A fixed command-line interface for FreeBSD jails to their host system
.. slug: ../arts/software/jaildaemon
.. prio: 850
.. contents::
:depth: 1
:class: ezjail-toc
----
Overview
========
.. image:: http://www.freebsd.org/gifs/daemon_hammer-tn25.jpg
:align: right
Virtual FreeBSD jail based server environments can not easily trigger actions in the host system, most prominently restarting themselves (if they ``kill -1`` everything, they usually stay shut down) and trigger actions like routing table updates, triggering zfs snapshots or rollbacks and configuring ``tun/tap``-Devices (as an openvpnd would).
There are several less-than-optimal solutions for that problem: granting forced-command ssh access to jails, polling some Jail-state from within the host system or dig some proprietary socket holes through the Jail's barrier, exposing a root-shell attack vector to the outside world.
*jaildaemon* aims to solve the problem in a simple and straight forward way while trying to minimize the attack surface for adversaries from the Jail and the network. It is a tiny daemon running in the host system that forks a probe process with a single associated command on demand, attaches it to a single jail and (optionally) assigns it a verbose proctitle. When the Jail's root user sends a SIGHUP to this probe process, it dies with a magic exit code, signalling the daemon to execute the associated command (in host context). You can chose to have the daemon restart the probe process after the command is executed (e.g. when it triggers updating routing tables) or just wait for it to be restarted by the Jail management tool (e.g. when using ``/usr/local/etc/rc.d/ezjail restart shell.foo.com`` as a reboot helper).
----
Code
====
You can always get the latest version of *jaildaemon*, use ``git clone git://erdgeist.org/jaildaemon`` or the legacy view ``cvs -d :pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co jaildaemon`` with an empty password to check it out. There is a *jaildaemon* tarball, but no versioning yet. You can scroll through the source at `jaildaemon gitweb </gitweb/jaildaemon>`_ or `jaildaemon cvsweb (deprecated) </cvsweb/jaildaemon>`_. Typing ``make install`` installs the binary in your ``${PREFIX}/bin`` (or ``/usr/local``, if none is set) and the rc-script to ``${PREFIX}/etc/rc.d/``.
A tight integration with `ezjail </arts/software/ezjail/>`_ is, of course, following soon.
----
Examples
========
Start the daemon as root with ``jaildaemon -D``, with optional parameters ``p`` and ``f`` to request the pidfile being written or to specify a different controlling command unix domain socket location (that is used by *jaildaemon* when run in client mode to communicate with the server, and defaults to ``/var/run/jaildaemon.pipe``), respectively.
If you installed the package, you can just enable *jaildaemon* in your ``/etc/rc.conf``, by adding ``jaildaemon_enable=YES``. It should then start at reboot, or when you run ``/usr/local/etc/rc.d/jaildaemon start``.
Start a new probe process in a Jail (in this example jid 23) to trigger the execution of the script::
/usr/local/bin/parse_route_config -s /usr/jails/shell.foo.com/
while identifying as 'route config update' in the jail and respawn::
jaildaemon -j 23 -c '/usr/local/bin/parse_route_config -s /usr/jails/shell.foo.com/' -t 'route config update' -r
From within the jail (``ezjail-admin console shell.foo.com``) trigger the command by ``pkill -HUP -f 'route config update'``.
Start a (non-spawning) Jail reboot trigger::
jaildaemon -j 23 -c '/usr/local/etc/rc.d/ezjail restart shell.foo.com' -t REBOOT
Now, from within that Jail, reboot via ``pkill -HUP -f REBOOT``.
----
Version history
===============
* Version 0.5:
* Fix the IPC packet size to match with system's net.local.dgram.maxdgram, which defaults to 2048
* Version 0.4:
* Fix a bug where proctitle length was not parsed from the correct field
* Version 0.3:
* Add a -g switch to allow *jaildaemon* to be passed a gid.
* Version 0.2:
* Fixed a bug where *jaildaemon* when run from /etc/rc would ignore SIGHUP by default.
* You can now make the probe drop into another uid, so that non-root-processes can trigger actions, as well.
* Allow *jaildaemon* to accept the jailname for the -j parameter, as well.
----
License
=======
*jaildaemon* was written by `Dirk Engling <mailto:erdgeist@erdgeist.org>`_ with lots of help from sg and is considered `beer ware </beerware.html>`_.
|