How to use Jailkit Jail Manager in Virtualmin (Webmin 1.892) to restrict users in their homes including virtual website and all services running under user? I am setting up small website hosting service and I must disable access to everything except user's home. I dont want to use FTP or FTPS! User's will have full SSH access to their system and they will be able to run for example NodeJS scripts, Teamspeak, etc... Is it possible? If yes, is it possible in Virtualmin or it needs more and deeper setup. EDIT: I am using Debian 9

In a jail, I have installed python3.6 along python3.4. Both were installed using pkg install, no ports. I want to keep the 3.4 version for some time, but set the 3.6 as default. Answers found in internet, like [this one](https://stackoverflow.com/questions/9349831/how-to-set-python-version-by-default-in-freebsd) or [this one](https://unix.stackexchange.com/questions/254660/freebsd-using-python3-in-uwsgi-instead-of-python2) either involve to myself link /usr/local/bin/python to python3.6 (what must be done again after any upgrade of the default python, what I'd like to avoid; plus there's no such link anyway); or to set DEFAULT_VERSIONS in /etc/make.conf, what has no effects on binaries installation (I've tried, nevertheless). Moreover, the virtual environment is not an option, since I want to run uwsgi, what requires the *system wide* default python to match the one in the python virtual environment of the python application it "monitors" (in my case, Django), in order to start correctly. Even if I start from inside the Django's virtual environment (providing python3.6), uwsgi detects python3.4 as the default python version. Cannot find if there is any environment variable missing neither. For information, inside the jail (and virtual environment): # printenv USER=root LOGNAME=root HOME=/root SHELL=/bin/csh BLOCKSIZE=K MAIL=/var/mail/root PATH=/usr/local/venv/dj1/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin TERM=xterm-256color HOSTTYPE=FreeBSD VENDOR=amd OSTYPE=FreeBSD MACHTYPE=x86_64 SHLVL=1 PWD=/var/log GROUP=wheel HOST=dev_web0 EDITOR=vi LANG=fr_FR.UTF-8 MM_CHARSET=UTF-8 PAGER=more VIRTUAL_ENV=/usr/local/venv/dj1

I tried searching the title on SO but nothing turned up. This is my first question so I apologize if I am doing something wrong. My idea is to have jails serve my websites on google cloud instead of running multiple VMs. I have created a freebsd with zfs as a vm. My issue is that I am not sure how to proceed with the networking aspect of this. I am using Bastille to create the jails and during creation it asks for IP to link to the jail. VM provides me with 1 internal and 1 external. It has the option to reserve a range of internal ips that it links to the host itself. I am not sure if that's of any help. My idea is to serve subdomains from its respective jail.

I’ve inherited some systems that runs on the FreeBSD operating system and inside jails. Basically the services running are old versions of qmail, spamd, Dovecot, etc. None of the versions are up to date or even maintainable any more. At present we can’t move from these systems but I would at least like to be able to troubleshoot them. My question: Normally I would be able to run for example service qmail status and get some info about the top level process. How do I do this inside a jail? In the case of the qmail process I can use qmailctl but what would be the equivalent for spamd or Dovecot? Also how do you go about troubleshooting these types of services? The logs don’t really give a very good steer on what could be going wrong.

I'm trying to connect to my mobile phone using adb over wifi using the Linuxulator because I want to install a specific java application that requires Linux to work. I have already used Linux virtualized with bhyve and it worked. But I prefer to save some memory trying to use the Linuxulator instead of starting a vm,if possible. I've already tried to run the app using java installed natively on FreeBSD,but it fails because it wasn't designed for this. So : [root@noble /]==> adb connect 192.168.1.2:5555 * daemon not running. starting it now on port 5037 * cannot bind 'tcp:5037' ADB server didn't ACK * failed to start daemon * error: cannot connect to daemon that's the error that I get. I'm not sure if I can use some trick or if there is anything that I can do because the Linuxulator does not support that in any way. Instead,if I launch it directly in FreeBSD,it works : [root@marietto /home/marietto]==> adb connect 192.168.1.2:5555 * daemon not running; starting now at tcp:5037 * daemon started successfully connected to 192.168.1.2:5555 The problem is that the java app does not recognizes that the adb server is working : [root@noble /home/marietto/Desktop/Files/OS/Linux/Tools/DeskDockServer_1.3.0]==> java -jar DeskDockServer_1.3.0.jar Program: DeskDockServer 1.3.0 System: Linux 5.15.0, amd64 JRE: 21.0.5+11-Ubuntu-1ubuntu124.04 AdbLocator: Found ADB in env PATH class com.floriandraschbacher.deskdockserver.Main: Using ADB from /usr/bin/adb ab@3f95b479: Error getting devices: ADB server didn't ACK q$b@31524dfb: Error getting ADB devices: java.io.IOException: java.io.IOException: ADB server didn't ACK but it is working : [root@noble /home/marietto/Desktop/Files/OS/Linux/Tools/DeskDockServer_1.3.0]==> ps ax PID TTY STAT TIME COMMAND 6089 pts/0 R+ 0:00 ps ax 5979 pts/0 S 0:00 adb -P 5037 fork-server server 5952 pts/0 S 0:00 /bin/zsh According with this thread : https://forums.freebsd.org/threads/make-jail-available-to-bind-only-certain-ports.85609/ I want to create a Jail with a public IP address. But as we have IPv4 address shortage. I want to only make the jail able to bind to a range of ports (say 700 to 750). I asked in the IRC and one answer was to use pf to NAT ports from/to the jail. this is what I tried to do : nano /etc/pf.conf nat on $ext_if from 127.0.0.0/24 to any -> 192.168.1.2 rdr on $ext_if proto tcp from any to any port 5037:5555 -> 127.0.0.255 root@noble:/home/marietto/Desktop/Files/OS/Linux/Tools/DeskDockServer_1.3.0# ./adb connect * daemon not running. starting it now on port 5037 * * daemon started successfully * ** daemon still not running error: cannot connect to daemon root@noble:/home/marietto/Desktop/Files/OS/Linux/Tools/DeskDockServer_1.3.0# ps ax PID TTY STAT TIME COMMAND 8759 pts/2 R+ 0:00 ps ax 8758 pts/2 S 0:00 adb -P 5037 fork-server server 8739 pts/2 S 0:00 /bin/bash but it didn't work : root@noble:/home/marietto/Desktop/Files/OS/Linux/Tools/DeskDockServer_1.3.0# java -jar DeskDockServer_1.3.0.jar 2024-11-22 17:33:02.348 Program: DeskDockServer 1.3.0 2024-11-22 17:33:02.348 System: Linux 5.15.0, amd64 2024-11-22 17:33:02.348 JRE: 21.0.5+11-Ubuntu-1ubuntu124.04 2024-11-22 17:33:02.469 AdbLocator: Found ADB in env PATH 2024-11-22 17:33:02.469 class com.floriandraschbacher.deskdockserver.Main: Using ADB from /usr/bin/adb 2024-11-22 17:33:02.508 ab@c703a44: Error getting devices: ADB server didn't ACK 2024-11-22 17:33:02.508 q$b@2b7d5ba: Error getting ADB devices: java.io.IOException: java.io.IOException: ADB server didn't ACK127.0.0.255192.168.1.2:5555

I'm setting up the *ARR suite apps in jails (using the Bastille manager). I used to do this in debian and docker but this time I moved to freeBSD to try out it's native zfs support. In setting up I need to setup a uniform user, setup external mounts (the involved bit) and install the apps on each jail. I did this manually on a trial system and it works perfectly (finally!). In docker this was all automated in the form of compose scripts. I write it up once and then don't need to worry about it when I reinstall/upgrade the host.. Is there any automation tool I can use in my case?

I have been trying to get Forgejo running in a Truenas Core (FreeBSD jail) for over a week. When I manually start Forgejo as the git user it runs as expected, however attempting to get it to run with the included rc file provided by the ports package it errors out. Forgejo Port rc.d script When I start forgejo manually it runs: root@Forgejo:/home/jailuser # su git git@Forgejo:/home/jailuser $ forgejo web -c /usr/local/etc/forgejo/conf/app.ini 2024/04/23 18:59:36 cmd/web.go:242:runWeb() [I] Starting Forgejo on PID: 4748 2024/04/23 18:59:36 cmd/web.go:111:showWebStartupMessage() [I] Forgejo version:1.21.11-1 built with GNU Make 4.4.1, go1.21.9 : bindata, pam, sqlite, sqlite_unlock_notify However, when I attempt to start the forgejo service I get the following pid not found error: root@Forgejo:/home/jailuser # service forgejo start /usr/local/etc/rc.d/forgejo: DEBUG: Sourcing /etc/defaults/rc.conf /usr/local/etc/rc.d/forgejo: DEBUG: pid file (/var/run/forgejo.pid): not readable. /usr/local/etc/rc.d/forgejo: DEBUG: checkyesno: forgejo_enable is set to YES. /usr/local/etc/rc.d/forgejo: DEBUG: run_rc_command: doit: forgejo_start _ root@Forgejo:/home/jailuser # mount Main/iocage/jails/Forgejo/root on / (zfs, local, noatime, nfsv4acls) root@Forgejo:/home/jailuser # ll /var total 81 drwxr-x--- 2 root wheel 2 Mar 1 18:50 account/ drwxr-xr-x 4 root wheel 4 Mar 1 18:50 at/ drwxr-x--- 4 root audit 4 Mar 1 18:50 audit/ drwxrwx--- 2 root authpf 2 Mar 1 18:50 authpf/ drwxr-x--- 2 root wheel 8 Apr 23 03:21 backups/ drwxr-xr-x 2 root wheel 2 Mar 1 18:50 cache/ drwxr-x--- 2 root wheel 3 Mar 1 19:06 crash/ drwxr-x--- 3 root wheel 3 Mar 1 18:50 cron/ drwxr-xr-x 14 root wheel 17 Apr 20 21:43 db/ dr-xr-xr-x 2 root wheel 2 Mar 1 18:50 empty/ drwxrwxr-x 2 root games 2 Mar 1 18:50 games/ drwx------ 2 root wheel 2 Mar 1 18:50 heimdal/ drwxr-xr-x 3 root wheel 23 Apr 23 00:00 log/ drwxrwxr-x 2 root mail 5 Apr 20 21:01 mail/ drwxr-xr-x 2 daemon wheel 3 Apr 20 19:28 msgs/ drwxr-xr-x 2 root wheel 2 Mar 1 18:50 preserve/ drwxr-xr-x 6 root wheel 18 Apr 23 18:56 run/ drwxrwxr-x 2 root daemon 2 Mar 1 18:50 rwho/ drwxr-xr-x 9 root wheel 9 Mar 1 18:50 spool/ drwxrwxrwt 3 root wheel 3 Mar 1 18:50 tmp/ drwxr-xr-x 3 unbound unbound 3 Mar 1 18:50 unbound/ drwxr-xr-x 2 root wheel 4 Mar 1 19:24 yp/ root@Forgejo:/home/jailuser # Manually executing the daemon command results in an exit status of 0 with no other useful information. Tried relocating the pid file to a directory with 777 permissions and still getting the same error. My only guess right now would be that forgejo is dying almost immediately before daemon is able to create the pid file? Not sure how to get stdout from forgejo to see if there are any errors (forgejo is not logging anything to its log file directory). Any ideas? UPDATE: Adding truss to the init script on the call to daemon yields the following: 53609: mmap(0x0,135168,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34376810496 (0x801048000) 53609: mprotect(0x801044000,4096,PROT_READ) = 0 (0x0) 53609: issetugid() = 0 (0x0) 53609: sigfastblock(0x1,0x801047490) = 0 (0x0) 53609: open("/etc/libmap.conf",O_RDONLY|O_CLOEXEC,0101130030) = 3 (0x3) 53609: fstat(3,{ mode=-rw-r--r-- ,inode=16052,size=35,blksize=4096 }) = 0 (0x0) 53609: read(3,"includedir /usr/local/etc/libmap.d\n",35) = 35 (0x23) 53609: close(3) = 0 (0x0) 53609: open("/usr/local/etc/libmap.d",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,0165) ERR#2 'No such file or directory' 53609: open("/var/run/ld-elf.so.hints",O_RDONLY|O_CLOEXEC,0100416054) = 3 (0x3) 53609: read(3,"Ehnt\^A\0\0\0\M^@\0\0\0w\0\0\0\0\0\0\0v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",128) = 128 (0x80) 53609: fstat(3,{ mode=-r--r--r-- ,inode=741826,size=247,blksize=4096 }) = 0 (0x0) 53609: pread(3,"/lib/casper:/lib:/usr/lib:/usr/lib/compat:/usr/local/lib:/usr/local/lib/compat/pkg:/usr/local/lib/perl5/5.36/mach/CORE\0",119,0x80) = 119 (0x77) 53609: close(3) = 0 (0x0) 53609: open("/lib/casper/libutil.so.9",O_RDONLY|O_CLOEXEC|O_VERIFY,00) ERR#2 'No such file or directory' 53609: open("/lib/libutil.so.9",O_RDONLY|O_CLOEXEC|O_VERIFY,00) = 3 (0x3) 53609: fstat(3,{ mode=-r--r--r-- ,inode=190,size=79952,blksize=80384 }) = 0 (0x0) 53609: mmap(0x0,4096,PROT_READ,MAP_PRIVATE|MAP_PREFAULT_READ,3,0x0) = 34376945664 (0x801069000) 53609: mmap(0x0,98304,PROT_NONE,MAP_GUARD,-1,0x0) = 34376949760 (0x80106a000) 53609: mmap(0x80106a000,32768,PROT_READ,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ,3,0x0) = 34376949760 (0x80106a000) 53609: mmap(0x801072000,49152,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ,3,0x7000) = 34376982528 (0x801072000) 53609: mmap(0x80107e000,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ,3,0x12000) = 34377031680 (0x80107e000) 53609: mmap(0x80107f000,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ,3,0x12000) = 34377035776 (0x80107f000) 53609: mmap(0x801080000,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANON,-1,0x0) = 34377039872 (0x801080000) 53609: munmap(0x801069000,4096) = 0 (0x0) 53609: close(3) = 0 (0x0) 53609: open("/lib/casper/libc.so.7",O_RDONLY|O_CLOEXEC|O_VERIFY,012320443000) ERR#2 'No such file or directory' 53609: open("/lib/libc.so.7",O_RDONLY|O_CLOEXEC|O_VERIFY,012320443000) = 3 (0x3) 53609: fstat(3,{ mode=-r--r--r-- ,inode=126,size=1940168,blksize=131072 }) = 0 (0x0) 53609: mmap(0x0,4096,PROT_READ,MAP_PRIVATE|MAP_PREFAULT_READ,3,0x0) = 34376945664 (0x801069000) 53609: mmap(0x0,4190208,PROT_NONE,MAP_GUARD,-1,0x0) = 34377048064 (0x801082000) 53609: mmap(0x801082000,540672,PROT_READ,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ,3,0x0) = 34377048064 (0x801082000) 53609: mmap(0x801106000,1343488,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ,3,0x83000) = 34377588736 (0x801106000) 53609: mmap(0x80124e000,40960,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ,3,0x1ca000) = 34378932224 (0x80124e000) 53609: mmap(0x801258000,24576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ,3,0x1d3000) = 34378973184 (0x801258000) 53609: mmap(0x80125e000,2240512,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANON,-1,0x0) = 34378997760 (0x80125e000) 53609: munmap(0x801069000,4096) = 0 (0x0) 53609: close(3) = 0 (0x0) 53609: mprotect(0x80124e000,36864,PROT_READ) = 0 (0x0) 53609: mprotect(0x80124e000,36864,PROT_READ|PROT_WRITE) = 0 (0x0) 53609: mprotect(0x80124e000,36864,PROT_READ) = 0 (0x0) 53609: readlink("/etc/malloc.conf",0x7fffffffc610,1024) ERR#2 'No such file or directory' 53609: issetugid() = 0 (0x0) 53609: mmap(0x0,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON|MAP_ALIGNED(21),-1,0x0) = 34382807040 (0x801600000) 53609: mmap(0x0,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON|MAP_ALIGNED(12),-1,0x0) = 34384904192 (0x801800000) 53609: mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON|MAP_ALIGNED(21),-1,0x0) = 34387001344 (0x801a00000) 53609: mprotect(0x1026000,4096,PROT_READ) = 0 (0x0) 53609: sigaction(SIGHUP,{ SIG_IGN SA_RESTART ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0) 53609: sigaction(SIGTERM,{ SIG_IGN SA_RESTART ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0) 53609: socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) 53609: getsockopt(3,SOL_SOCKET,SO_SNDBUF,0x7fffffffd85c,0x7fffffffd858) = 0 (0x0) 53609: setsockopt(3,SOL_SOCKET,SO_SNDBUF,0x7fffffffd85c,4) = 0 (0x0) 53609: connect(3,{ AF_UNIX "/var/run/logpriv" },106) = 0 (0x0) 53609: openat(AT_FDCWD,"/var/run",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,00) = 4 (0x4) 53609: openat(4,"forgejo.pid",O_WRONLY|O_NONBLOCK|O_CREAT|O_CLOEXEC,0600) = 5 (0x5) 53609: flock(5,LOCK_EX|LOCK_NB) = 0 (0x0) 53609: fstatat(4,"forgejo.pid",{ mode=-rw------- ,inode=742728,size=0,blksize=131072 },0x0) = 0 (0x0) 53609: fstat(5,{ mode=-rw------- ,inode=742728,size=0,blksize=131072 }) = 0 (0x0) 53609: ftruncate(5,0x0) = 0 (0x0) 53609: fstat(5,{ mode=-rw------- ,inode=742728,size=0,blksize=131072 }) = 0 (0x0) 53609: cap_rights_limit(4,{ CAP_UNLINKAT }) = 0 (0x0) 53609: cap_rights_limit(5,{ CAP_PWRITE,CAP_FTRUNCATE,CAP_FSTAT,CAP_EVENT }) = 0 (0x0) 53609: sigaction(SIGHUP,{ SIG_IGN 0x0 ss_t },{ SIG_IGN SA_RESTART ss_t }) = 0 (0x0) 53609: fork() = 53610 (0xd16a) 53610: 53610: setsid() = 53610 (0xd16a) 53609: exit(0x0) 53609: process exit, rval = 0 53610: sigaction(SIGHUP,{ SIG_IGN SA_RESTART ss_t },0x0) = 0 (0x0) 53610: madvise(0x0,0,MADV_PROTECT) ERR#1 'Operation not permitted' 53610: pipe2(0x7fffffffd9c0,0) = 0 (0x0) 53610: kqueuex() ERR#78 'Function not implemented' 53610: SIGNAL 12 (SIGSYS) code=SI_KERNEL 53610: process killed, signal = 12 UPDATE: TrueNAS-13.0-U6.1 jailuser@Forgejo:~ $ uname -a FreeBSD Forgejo 13.1-RELEASE-p9 FreeBSD 13.1-RELEASE-p9 n245429-296d095698e TRUENAS amd64

I have an entire system with xorg-x11 running in a jail. My only issue is that I am unable to add or remove a keyboard or mouse while X is running. If I restart X, the newly connected keyboard or mouse works just fine. I don't want to restart X. If I run my system on bare metal, it works as expected. It only occurs when I run it from a jail. I see the devices are created as I plug or unplug them: /dev/input/event* /dev/usb/* /dev/ukbd* /dev/kbd* /dev/ums* /dev/ugen* I have dbus running, but for whatever reason, Xorg doesn't appear to be seeing them. If I tail /var/log/Xorg.0.log, I don't see any messages indicating a keyboard or mouse being added or removed as I plug or unplug it. EDIT #1: My devfs rules for this jail are: add path 'dri*' unhide add path 'drm*' unhide add path 'dsp*' unhide add path 'mixer*' unhide add path 'speaker*' mode 0660 group operator unhide # USB drives add path 'da*' unhide EDIT #1: To answer the questions from the answer: 1. My devfs rules match the jail devfs rule id. 2. The Xorg.0.log shows no events when I unplug and reply the keyboard and mouse. Conversely, the host system shows the keyboard and mouse being unplugged and replugged. 3. The host system is a minimal install, it has management packages and video drivers, that's it. It does not have a complete Xorg install. EDIT #2: 1. I Installed inputplug and ran: DISPLAY=:0 inputplug -d --debug -c echo and it did not print any output while I plugged in a keyboard and unplugged it. 2. Again, dmesg on the base / host system shows the keyboard being plugged and unplugged. 3. The jail showed the device under /dev/ukbd1 matching the host. 4. The jail showed also showed the newly added device under /dev/input/event7. 5. xinput list isn't showing any difference in before and after. Hmm, I cannot create any file in /dev as root within the jail. This is a stretch, but is it that the jail itself does not have permissions to create any devices nodes it needs and is instead relying on the host to create them?

I want a process (and all its potential children) to be able to read the filesystem according to my user profile but I want to restrict that process's write permission to only a set of pre-selected folders (potentially only one). chroot seems to act too broadly. Restricting the process to a particular part of the filesystem which makes curbersome the need to mount /bin folders and the like. My process should be able read the content of the filesystem as any normal process I launch. I could use a docker container and mount a volume but that seems overkill: need to install docker, create an image, launch the container in it, etc... Is there a way to do something like?:

restricted-exec --read-all --write-to /a/particular/path --write-to /another/particular/path my-executable -- --option-to-the-executable

Some sort of [unveil](https://man.openbsd.org/unveil.2) but controlled by the calling process and only for write access.

We can add a line like this below a specific jail in the jail.local file, and control the jail: enabled = true/false But I think there should be a command to do this, as we've got bunch of "set" commands here: https://www.fail2ban.org/wiki/index.php/Commands But I can't find a related command for doing this. I don't want to do it manually, anybody knows a command to do this?

I configured virtual NICS using pf, and a jail for FreeBSD using qjail create pgsql-jail 192.168.0.3. When I tried to install PostgreSQL 9.3 using port collection, it shows strange message at first. pgsql-jail /usr/ports/databases/postgresql93-server >make install ===> Building/installing dialog4ports as it is required for the config dialog ===> Cleaning for dialog4ports-0.1.5_1 ===> Skipping 'config' as NO_DIALOG is defined ====> You must select one and only one option from the KRB5 single *** [check-config] Error code 1 Stop in /basejail/usr/ports/ports-mgmt/dialog4ports. *** [install] Error code 1 Stop in /basejail/usr/ports/ports-mgmt/dialog4ports. ===> Options unchanged => postgresql-9.3.0.tar.bz2 doesn't seem to exist in /var/ports/distfiles/postgresql. => Attempting to fetch ftp://ftp.se.postgresql.org/pub/databases/relational/postgresql/source/v9.3.0/postgresql-9.3.0.tar.bz2 postgresql-9.3.0.tar.bz2 1% of 16 MB 71 kBps Anyway, installation continues, so I waited. I chose all default options for all option dialogs. And at the end of the process, I saw it finally failed with this message. ====> Compressing man pages ===> Building package for pkgconf-0.9.3 Creating package /basejail/usr/ports/devel/pkgconf/pkgconf-0.9.3.tbz Registering depends:. Registering conflicts: pkg-config-*. Creating bzip'd tar ball in '/basejail/usr/ports/devel/pkgconf/pkgconf-0.9.3.tbz' tar: Failed to open '/basejail/usr/ports/devel/pkgconf/pkgconf-0.9.3.tbz' pkg_create: make_dist: tar command failed with code 256 *** [do-package] Error code 1 Stop in /basejail/usr/ports/devel/pkgconf. *** [build-depends] Error code 1 Stop in /basejail/usr/ports/textproc/libxml2. *** [install] Error code 1 Stop in /basejail/usr/ports/textproc/libxml2. *** [lib-depends] Error code 1 Stop in /basejail/usr/ports/databases/postgresql93-server. *** [install] Error code 1 Stop in /basejail/usr/ports/databases/postgresql93-server. I have no idea why this fails. Errors at beginning seems I have something wrong with dialog4ports. And errors at last seems installer cannot write to ports file tree. AFAIK, the ports files are read-only shared from host system. What's wrong with my jail? How can install PostgreSQL 9.3 in my jail?

I have a binary from an untrusted source, and I would like to block and log any internet access attempt, and see to what server it tries to connect. A first way I though of is using firejail https://wiki.archlinux.org/title/firejail , but I would need to have a fake virtual net interface that logs everything I guess. Do you have other solution, or do you know how to do such a virtual interface ?

I've created an fstab file (to mount /dev/pts and /proc, with the bind option) as part of a jail but when I chroot to the jail neither filesystem is mounted. This makes me wonder when the fstab for a jail is parsed while chroot-ing. Is this done before, during, after or never? I'm starting to think never because once the jail has been entered the filesystems that fstab is trying to mount should be out of reach. *(I encountered this stuff while debugging a production system, which makes me wonder if chroot jail fstabs used to be supported but no longer are.)*

## What I am trying to achieve I want to run a process as an unprivileged user, but all files that are changed by this process should be only changed in a shadow folder. Furthermore, I want to disable networking capabilities if needed. ## What I have already tried - mount overlay with lowerdir / and upperdir /temp/fakeroot, unshare -rn, chroot /temp/overlay - Problems: requires root for mount, overlay ignores nested mounts (my home directory) - unshare -rmn, mount overlay with lowerdir / and upperdir /temp/fakeroot - Problems: error while trying to mount because /tmp is a subfolder of / - fuse-overlayfs, unshare -rn, chroot - Problems: works only on kernels > 5.16, nested mounts can be read but writing is not possible - Note: I would be ok with the kernel limitation, but the nested mounts make it not usable ## Alternatives that I know exist, but do not seem promising - Overlayroot: needs to be mounted at startup and does not store change delta - overlayroot-chroot: Based on above. - mergefs for merging all file systems into one: can't see how this would be done - using Docker: requires root, does not store change delta Does anyone have an idea how to do that?

I have managed to install a Ubuntu chroot jail within FreeBSD 13.1. However, I need to run Firefox from it to launch Jupyter Lab from a python virtual environment within the chroot subsystem. I was wondering if I could use the FreeBSD Firefox from the subsystem. Nevertheless, I installed Firefox on the chroot subsystem and when tried to run it I gen an error as below.

(newEnv) schroter1@SCHROTER:~$ firefox No protocol specified Unable to init server: Broadway display type not supported: unix:0.0 
Error: cannot open display: unix:0.0

Would anyone be able to help me in this regards. Thanks & Best Regards Schroter Michael

As part of a script to set up a restricted user, I ran the enable -n enable command. For testing purposes I would like to undo that command but I can't find any documentation on how to do so. I know normally I would just run enable enable, but since that command is disabled that isn't an option. The user in question is chrooted and running rbash, I have superuser access on the device and I have tried things like sudo su -c "enable echo" usernameHere with no success. I know I can always just scrap the user and start again, but I have a feeling that there's a better way that I'm missing, so I would like to avoid deleting the user if possible. Any input and advice would be appreciated!

I created a chroot jail and copied multiple binaries and their corresponding libraries to the relevant subdirectories. Example: cp -v /usr/bin/edit /home/jail/usr/bin ldd /usr/bin/edit linux-vdso.so.1 (0x00007fff565ae000) libm.so.6 => /lib64/libm.so.6 (0x00007f7749145000) libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f7748f11000) libacl.so.1 => /lib64/libacl.so.1 (0x00007f7748d08000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f7748b04000) libperl.so => /usr/lib/perl5/5.18.2/x86_64-linux-thread-multi/CORE/libperl.so (0x00007f7748771000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f7748554000) libc.so.6 => /lib64/libc.so.6 (0x00007f77481ad000) libattr.so.1 => /lib64/libattr.so.1 (0x00007f7747fa8000) /lib64/ld-linux-x86-64.so.2 (0x00007f7749446000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f7747d6d000) cp -v /lib64/{libm.so.6,libtinfo.so.5,libacl.so.1,libdl.so.2,libpthread.so.0,libc.so.6,libattr.so.1,ld-linux-x86-64.so.2,libcrypt.so.1} /home/jail/lib64/ I did the same with the man command and copied all manual files with cp -rv /usr/share/man/ /home/jail/usr/share/, but if I execute it, it returns this error: -bash-4.2$ man gzip execve: No such file or directory What could be missing? More details: -bash-4.2$ ls /usr/share/man ca da el es fr.ISO8859-1 hu it man0p man1p man3 man4 man6 man8 mann pl pt_BR sk sv zh zh_TW cs de eo fr fr.UTF-8 id ja man1 man2 man3p man5 man7 man9 nl pt ru sr uk zh_CN Update: -bash-4.2$ strace -f /usr/bin/mandb ls 2>ls.log -bash-4.2$ cat ls.log execve("/usr/bin/mandb", ["/usr/bin/mandb", "ls"], [/* 45 vars */]) = 0 brk(0) = 0x138b000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd43a9ac000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/lib64/tls/x86_64", 0x7ffde87d2510) = -1 ENOENT (No such file or directory) open("/lib64/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/lib64/tls", 0x7ffde87d2510) = -1 ENOENT (No such file or directory) open("/lib64/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/lib64/x86_64", 0x7ffde87d2510) = -1 ENOENT (No such file or directory) open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\34\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1974416, ...}) = 0 mmap(NULL, 3828256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd43a3e6000 mprotect(0x7fd43a584000, 2093056, PROT_NONE) = 0 mmap(0x7fd43a783000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x7fd43a783000 mmap(0x7fd43a789000, 14880, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd43a789000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd43a9ab000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd43a9aa000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd43a9a9000 arch_prctl(ARCH_SET_FS, 0x7fd43a9aa700) = 0 mprotect(0x7fd43a783000, 16384, PROT_READ) = 0 mprotect(0x601000, 4096, PROT_READ) = 0 mprotect(0x7fd43a9ad000, 4096, PROT_READ) = 0 brk(0) = 0x138b000 brk(0x13ac000) = 0x13ac000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/de_DE.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/de_DE.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/de_DE/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/de.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/de.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/de/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) getuid() = 1000 geteuid() = 1000 getgid() = 100 execve("/usr/lib/man-db/mandb", ["/usr/bin/mandb", "ls"], [/* 45 vars */]) = -1 ENOENT (No such file or directory) dup(2) = 3 fcntl(3, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE) close(3) = 0 write(2, "execve: No such file or director"..., 34execve: No such file or directory ) = 34 exit_group(-22) = ? +++ exited with 234 +++ Update2: Ok this part was missing: cp -rv /usr/lib/man-db/ usr/lib/ Now I get this error: man: error while loading shared libraries: libmandb-2.6.6.so: cannot open shared object file: No such file or directory Strangely it's not part of the ldd return: # which mandb /usr/bin/mandb # ldd /usr/bin/mandb linux-vdso.so.1 (0x00007fffd64d0000) libc.so.6 => /lib64/libc.so.6 (0x00007f1885120000) /lib64/ld-linux-x86-64.so.2 (0x00007f18854c7000) Finally I needed those libraries: cp /usr/lib64/libmandb-2.6.6.so usr/lib64/libmandb-2.6.6.so cp /usr/lib64/libgdbm.so.4 usr/lib64/libgdbm.so.4 After that man loaded, but no text is displayed: # man ls Man: find all matching manual pages (set MAN_POSIXLY_CORRECT to avoid this) * ls (1) ls (1p) Man: What manual page do you want? Man: 1 I compared the strace results of the jail and root user and they differ now only in this part (jail is left): As I added a bind mount to /var/run/nscd, the socket is available for the jail user: -bash-4.2$ if [[ -S /var/run/nscd/socket ]]; then echo "socket is available"; fi socket is available So the problem seems to be something else?! Update3: @nobody Yes, passwd and group are present: -bash-4.2$ ls -la /etc total 124 drwxr-xr-x 4 root root 216 Nov 11 14:15 . drwxr-xr-x 13 root root 183 Nov 4 08:49 .. -rw-r--r-- 1 root root 779 Nov 3 12:43 group -rw-r--r-- 1 root root 67659 Nov 11 13:55 ld.so.cache -rw-r--r-- 1 root root 2335 Nov 4 09:02 localtime -rw-r--r-- 1 root root 12061 Nov 11 13:16 manpath.config -rw-r--r-- 1 root root 1304 Nov 11 14:15 nsswitch.conf -rw-r--r-- 1 root root 3961 Nov 3 12:43 passwd drwxr-xr-x 2 root root 4096 Nov 3 14:13 postfix -rw-r--r-- 1 root root 9168 Nov 4 09:02 profile drwxr-xr-x 2 root root 4096 Nov 4 09:02 profile.d -rw-r--r-- 1 root root 8006 Nov 4 09:17 vimrc Update4: The -Tascii flag returned more missing binaries: -bash-4.2$ man -Tascii ls man: can't execute tbl: No such file or directory man: can't execute groff: No such file or directory man: command exited with status 255: /usr/bin/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t ANSI_X3.4-1968//IGNORE | tbl | groff -mandoc -Tascii So I copied tbl, groff and zsoelim and the complete dir /usr/share/groff. Now two additional binaries were missing: -bash-4.2$ man -Tascii ls groff: couldn't exec troff: No such file or directory groff: couldn't exec grotty: No such file or directory man: command exited with status 4: /usr/bin/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t ANSI_X3.4-1968//IGNORE | tbl | groff -mandoc -Tascii After copying these, the manual was displayed: But without the -Tascii flag its still black/empty. :| Update5: Default pager seems to be less -bash-4.2$ env | grep MANPATH MANPATH=/usr/share/man -bash-4.2$ env | grep PAGER PAGER=less

I've created a bind mount in /tmp/test which I then use to establish a chroot jail. For example:

--bind -o ro /usr/bin/ /tmp/test

/tmp/test /some_executable

This seems to work fine - most of the executables within that folder are accessible and I can interact with them normally from within the jail. However, there are at least a few files within the mount that show up as empty executables. Specifically, a class of nvidia executables used for interacting with a GPU device attached to my system:

/tmp/test | grep -i nvidia-*
-rwxr-xr-x 1 root root         0 Feb 13 15:16 nvidia-cuda-mps-control*
-rwxr-xr-x 1 root root         0 Feb 13 15:16 nvidia-cuda-mps-server*
-rwxr-xr-x 1 root root         0 Feb 13 15:16 nvidia-debugdump*
-rwxr-xr-x 1 root root         0 Feb 13 15:16 nvidia-persistenced*
-rwxr-xr-x 1 root root         0 Feb 13 15:16 nvidia-smi*

If I try to mount one of those files directly, everything works as normal:

/tmp/test/nvidia-smi && mount --bind -o ro /usr/bin/nvidia-smi /tmp/test/nvidia-smi

ll /tmp/test/nvidia-smi
-rwxr-xr-x 1 root root 678392 Jul 13  2021 /tmp/test/nvidia-smi*

Any ideas on why this is happening? **Edit**: This is what the nvidia files look like on the filesystem before the mount:

/tmp# ls -l /usr/bin/nvidia-*
-rwxr-xr-x 1 root root  45824 Jul 13  2021 /usr/bin/nvidia-cuda-mps-control
-rwxr-xr-x 1 root root  14488 Jul 13  2021 /usr/bin/nvidia-cuda-mps-server
-rwxr-xr-x 1 root root 252720 Jul 13  2021 /usr/bin/nvidia-debugdump
-rwxr-xr-x 1 root root  61976 Jul 13  2021 /usr/bin/nvidia-persistenced
-rwxr-xr-x 1 root root 678392 Jul 13  2021 /usr/bin/nvidia-smi

Filesystem information:

df -T

Filesystem      Type    1K-blocks     Used Available Use% Mounted on
overlay         overlay  31444972 14551624  16893348  47% /
tmpfs           tmpfs       65536        0     65536   0% /dev
tmpfs           tmpfs    16176692        0  16176692   0% /sys/fs/cgroup
tmpfs           tmpfs    16176692        4  16176688   1% /etc/config
/dev/nvme0n1p1  xfs      31444972 14551624  16893348  47% /etc/hosts
shm             tmpfs       65536        0     65536   0% /dev/shm
tmpfs           tmpfs    16176692       12  16176680   1% /run/secrets/kubernetes.io/serviceaccount

Is there a way to forward traffic on mydomain.com to local web server hosted on virtual machine ( bhyve )? Let's say my local machine has local IP - **1.1.1.1** And my registered domain in X hosting company is with IP - **3.3.3.3** How can I forward the traffic from 3.3.3.3 to my local virtual machine?

I am trying to add an alias to my network card (I would like to use jails) on my FreeBSD box. It is running version 10.2-RELEASE-p7 (generic amd64 kernel). The machine is running in a Hyper-V virtual machine, but I experience the same thing on my physical box, the only difference is that is is running the x86 (32bit) version of the same 10.2 kernel. The network interface hn0 has a static IP address: 192.168.0.51/24, my default router is 192.168.0.1. Everything works fine, until I add the alias: ifconfig hn0 inet 192.168.0.200/32 alias This creates the alias on hn0 as ifconfig shows: lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 hn0: flags=8843 metric 0 mtu 1500 options=31b ether 00:15:5d:00:0f:00 inet 192.168.0.51 netmask 0xffffff00 broadcast 192.168.0.255 inet 192.168.0.200 netmask 0xffffffff broadcast 192.168.0.200 nd6 options=29 The problem is that as soon as I have the alias in place, I cannot reach any host outside my subnet (even when using the host's IP address). E.g. a google nameserver: ping 8.8.8.8 ping 8.8.8.8 (8.8.8.8): 56 data bytes However, I can ping anything using the alias as the source: ping -S 192.168.0.200 8.8.8.8 PING 8.8.8.8 (8.8.8.8) from 192.168.0.200: 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=11.137 ms ... If the alias is created by jail(8) when starting a jail, the jail using the alias has network access, while the host does not. After removing the alias I have to restart the services netif and routing to regain network access on the primary IP of the host. When the jail runs, I can ssh into it or I can ping it using the IP alias. Based on the fact that I cannot ping external nodes using their IP my guess would be that there is something wrong with the routing. Name resolving does not work as my box is unable to reach the DNS servers. Here is my netstat -rn output before adding the alias: Destination Gateway Flags Netif Expire default 192.168.0.1 UGS hn0 127.0.0.1 link#1 UH lo0 192.168.0.0/24 link#2 U hn0 192.168.0.51 link#2 UHS lo0 and after the alias has been created: Destination Gateway Flags Netif Expire default 192.168.0.1 UGS hn0 127.0.0.1 link#1 UH lo0 192.168.0.0/24 link#2 U hn0 192.168.0.51 link#2 UHS lo0 192.168.0.200 link#2 UHS lo0 192.168.0.200/32 link#2 U hn0 IPv6 values are omitted as I have disabled IPv6 by adding ipv6_network_interfaces="none" ipv6_activate_all_interfaces="NO" to /etc/rc.conf I am no expert at network setup, but I have read everything I could find about jails and IP aliases but I haven't found anything helpful. Maybe I am overlooking something trivial, but I have no idea what breaks network access on the host.