Re: jails, cron and sendmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Meyer wrote:

That's just a default. You can can change it by adding
cron_enable="NO" to /etc/rc.conf in each jail. So maybe the question
should be "Why haven't your turned off cron in the jails?"

Because the system uses cron to start its periodic scripts. The periodic
scripts are cool and useful in jails, especially the security scripts.
Thus I wont turn off cron.

Daniel Gerzo already pointed out, how to solve that.

By checking periodic.conf? That doesn't prevent cron from sending
mail; that just turns off the periodic scripts that cron launches,
some of which also send mail.

But it prevents a vanilla system to try to connect to localhost:25 once
a day. Only those periodic scripts send mails per default.

In order: right, wrong and right.

I'm afraid, you're wrong.

The default configuration doesn't expose sendmail to the publicly
visible IP addres. The daemon it runs only listens for connections to
the localhost address.

Which is rewritten to the jails (externally visible) address on a connect()

If your concern is that shutting off a subsystem can break things -
I'd say that's a *good* thing. One of the things that make Unix
powerful is that it assumes the user knows what they are doing.

This is... a strange opinion... If the default exposes an unwanted
service to the world, then turning it off should not require indepth
knowledge in how to prevent other things in the system to break. The
service should not even be there in the first place.

Given the choice between a system that does exactly what I tell it
to, and one that second guesses me, makes changes behind my back, and
makes setting things up the way I want a PITA, I know which one I
want.

I would chose and recommend the system that provides sane and secure
defaults without requiring me to understand all of the OSs sub systems.


Detecting that /etc/ is inside a jail environment and adjusting your
sendmail and periodic settings would be a nice thing to have.

Regards

erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFE8be3ImmQdUyYEgkRAhogAJ9PDDu5SkZOp15OmzAt/Tfx8yW2zwCgg5Qo
sjq1PJ/f3u3gIUiPuX8sbm8=
=ouev
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: jails, cron and sendmail
    ... Why are you running cron inside the jails at all? ... It's not me, it's the OS running cron to do its periodic checks, per ... That exposes sendmail to the publicly visible ...
    (freebsd-hackers)
  • Re: jails, cron and sendmail
    ... smtp activity in my jails (there's no 127.0.0.1 in a jail, ... cron tries to deliver its status mails and fails. ... And to which crontab file and lines should the option apply? ... you're missing some obvious problems. ...
    (freebsd-hackers)
  • Re: Daily/weekly/monthly output aggregation
    ... On Mon, 17 Nov 2003, Damian Gerow wrote: ... >> periodic scripts to produce no output when everything is fine. ... Cron will ... There are three kinds of people: men, women and unix. ...
    (freebsd-isp)
  • Re: Daily/weekly/monthly output aggregation
    ... > periodic scripts to produce no output when everything is fine. ... Cron will ... What if someone hacks into your server, ... To unsubscribe, ...
    (freebsd-isp)